Question

Does the log4j pose a risk when Microsoft SQL server is installed with BVMS installation package?

Answer

We have identified that the vulnerable Log4j 1.2.17 component is installed as part of the setup of Microsoft SQL Server 2019 on Windows, all editions. The vulnerable component is not actively used or called by the SQL Server or by the BVMS. This means that the vulnerabilities are not exploitable unless you install some additional components that refer to the vulnerable component. Therefore, there is no risk of exploitation within the SQL Server or BVMS environment.

There is a security information published: here → this security information gives exact details on how to mitigate this and how to achieve that the vulnerable log4j component gets removed by installing that cumulative patch from Microsoft

• latest version of the patch: Download Microsoft® SQL Server® 2019 Latest Cumulative Update from Official Microsoft Download Cente...
  • https://learn.microsoft.com/en-us/troubleshoot/sql/releases/sqlserver-2019/cumulativeupdate25

BVMS is not using log4j, and neither is the SQL server in the way we use it. (only to use the MS SQL Server installer "as is" and it installs the log4j binaries)

Additionally, BVMS does not install Java runtime, and in absence of that, the log4j does not pose a risk.

Therefore, this is similar to the statement for CVE-2021-44228 that BVMS is not affected CVE-2021-44228 not affected BT productsR8.indd (boschsecurity.com)

In response to CVE-2021-44228 Microsoft advised (https://msrc.microsoft.com/blog/2021/12/microsofts-response-to-cve-2021-44228-apache-log4j2/#sql-ser...) to a user who enables Java to “upgrade to the latest version or remove the Java Archives (JARs) that require the dependency”.

Is the end customers install Java runtime by themselves (or any other 3rd party software that installs Java) and use 3rd party software that makes use of the log4j from SQL Server DTS folder, then it becomes more challenging as in this case the customer may create vulnerable PC configuration (that might in turn endanger BVMS or any other software on target PC/network). This cannot be prevented by us and it is responsibility of the end customer to ensure vendor provided patches are also installed in timely manner.

 Nice to know:

Subscribe to this article and stay up to date with the latest published Security Advisories related to Bosch products:

• Bosch Security Advisories - PSIRT (Product Security Incident Response Team)