My vulnerability scanner recently flagged an unsupported installation of Apache Log4j in a version of MS SQL we just recently deployed (SQL 2019). It causes two high-priority findings that I must get resolved. It seems to be, specifically, the file log4j-1.2.17.jar that is implicated.
Evidently there is a version 2.17.1 available here: https://logging.apache.org/log4j/2.x/download.html
Unfortunately I don't know how to use it. There's no installer, just a bunch of files. The same site has a section of articles that seem to be geared towards how developers can use Apache2 (which seems to be what this file collection actually is) but I'm not a developer, just a systems manager. I suspect this is not just a drag-and-drop operation, as I'm sure the flagged file gets called by the application somehow.
Unfortunately, in addition to not being a developer I do not have an intimate understanding how how MS SQL 2019 actually functions, so I don't know what would go wrong if I simply swapped out that file with a new one manually (and there's no clear candidate for that anyways).
Is there any guidance for how to migrate between versions of Apache for applications that installs a given version for its own use?
Best Answer
If you don't have the source code of a project and just want to fix the log4j 1.x vulnerabilities you can use reload4j project. It allows to replace the file
log4j-1.2.17.jarby the reload4j jar file without other changes.