Jaybird is not directly vulnerable to the Log4j CVEs

67 views
Skip to first unread message

Mark Rotteveel

unread,
Dec 18, 2021, 4:35:23 AM12/18/21
to firebi...@googlegroups.com
TL;DR: Jaybird is not directly vulnerable to the Log4j CVEs

Like a lot of others in the industry, I have been quite busy over the
last 1.5 weeks with the fallout of the recent Apache Log4j 2.x CVEs*.

I was asked privately about whether or not Jaybird was affected, this
serves as a public notice.

Jaybird does not depend on Log4j 2
==================================

Jaybird itself does not depend on Log4j 2.x, and as such is not directly
affected by the recent Log4j 2 CVEs (but do check "Indirect risks" below).

Jaybird 3 and higher by default use java.util.logging to log information.

Jaybird 2.2 and earlier (all end-of-life) have an *optional* dependency
on Log4j 1.x (which is not affected by the recent CVEs). This is only
used when explicitly included on the classpath, and enabled using the
system property FBLog4j or org.firebirdsql.jdbc.useLog4j[1]. This option
was removed in Jaybird 3.

Indirect risks
==============

If you're redirecting logging to Log4j 2 (e.g. from java.util.logging,
or using a custom implementation of org.firebirdsql.logging.Logger), you
may be vulnerable. If your applications are using Log4j 2, please make
sure to update to Log4j 2.17.0.

Mark

*: For those who missed the news, if you're using Log4j 2, please update
to 2.17.0 (or 2.12.2 if you're using Java 7). For details, see Apache
Log4j Security Vulnerabilities[2]:

[1]:
https://firebirdsql.github.io/jaybird-manual/jaybird_manual.html#ref-logging-log4j1
[2]: https://logging.apache.org/log4j/2.x/security.html

--
Mark Rotteveel
Reply all
Reply to author
Forward
0 new messages