How to replace/update Apache Log4j 1.2.x with 2.17?

us flag

My vulnerability scanner recently flagged an unsupported installation of Apache Log4j in a version of MS SQL we just recently deployed (SQL 2019). It causes two high-priority findings that I must get resolved. It seems to be, specifically, the file log4j-1.2.17.jar that is implicated.

Evidently there is a version 2.17.1 available here:

Unfortunately I don't know how to use it. There's no installer, just a bunch of files. The same site has a section of articles that seem to be geared towards how developers can use Apache2 (which seems to be what this file collection actually is) but I'm not a developer, just a systems manager. I suspect this is not just a drag-and-drop operation, as I'm sure the flagged file gets called by the application somehow.

Unfortunately, in addition to not being a developer I do not have an intimate understanding how how MS SQL 2019 actually functions, so I don't know what would go wrong if I simply swapped out that file with a new one manually (and there's no clear candidate for that anyways).

Is there any guidance for how to migrate between versions of Apache for applications that installs a given version for its own use?

jp flag
us flag
Thank you; I had searched Technet but came up without clues before. It seems to me that the only real solution is to remove the specific offending file. Manually deleting it appears to be the only way to achieve this. I gave this a shot and it appears to mitigate the findings in question, and has not seemed to impact the app tier above this database. Will monitor, however.
in flag

If you don't have the source code of a project and just want to fix the log4j 1.x vulnerabilities you can use reload4j project. It allows to replace the file log4j-1.2.17.jar by the reload4j jar file without other changes.

The reload4j project is a fork of Apache log4j version 1.2.17 in order to fix most pressing security issues. It is intended as a drop-in replacement for log4j version 1.2.17. By drop-in, we mean the replacement of log4j.jar with reload4j.jar in your build without needing to make changes to source code, i.e. to your java files.


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.