Is SQL Monitor product impacted by the recently discovered log4j vulnerability

agurvits

Hello. Does anybody know whether the SQL Monitor product impacted by the recently discovered log4j vulnerability?

Alex B

Hi @agurvits,

TL;DR - No, SQL Monitor is not impacted by the the CVE-2021-44228 ‘Log4Shell’ vulnerability.

Longer:

Our external Redgate products (including SQL Monitor) are not impacted by the CVE-2021-44228 ‘Log4Shell’ vulnerability as they are built upon .NET and are not susceptible (our Flyway product does utilise Java and our development teams have ensured that it doesn’t ship using log4j / log4shell).

A small number of our internal systems which had used the vulnerable version were thoroughly checked for any evidence of exploitation before being patched and updated.  Redgate takes the security and privacy of its clients seriously and if you have further questions we will happily follow them through with our security team.

Kind regards
Alex

daryoosh

Hi Alex,

How about SQL Compare and SQL Data Compare?

Thanks,

Daryoosh

Alex B

Hi @daryoosh

Apologies for not being clearer - none of our tools are affected by this - (that was this bit above "Our external Redgate products <...> are not impacted").

Our Flyway product does not ship with log4j, but could have used affected versions of this if the customer had it on their machine.  The team have made a change to ensure it now requires unaffected versions of log4j and so will no longer use the affected versions of log4j - see https://flywaydb.org/blog/flyway-log4j-vulnerability for more information on that.

Kind regards,
Alex