Log4net version 2.0.8.0 vulnerability warning

Werner

Hi,
I get a critical vulnerability warning on C:\Program Files (x86)\Red Gate\SQL Doc 5\log4net.dll. The Redgate SQL Doc 5 version is 5.0.5.1790. As I am not actively using the product right now I decided to just deinstall it. But I wonder if other Redgate products/software are still vulnerable to Log4net issues!? Moreover, I would like Redgate to push newer versions of the products even if the ones installed on the customers site have no license and will remain unusable even after the upgrade... So, when opening an unlicensed Redgate product the behavior would remain the same except for a message stating that I am not "using" the latest version.
Kind regards,
Werner

Victoria W

Hi @Werner

https://www.red-gate.com/privacy-and-security/vulnerabilities/2021-12-15-log4j-statement

CVE-2021-44228 (log4shell) and Redgate's products

This page details the results of Redgate's investigation into the impact of the recent vulnerability in log4j, CVE-2021-44228.

Redgate's products

None of Redgate's products include log4j. You do not need to upgrade any of Redgate's products to mitigate this vulnerability.

If you are using Flyway's Java integration, it is able to use a version of log4j loaded on its classpath by your code - if you choose to do this, you should ensure you are using a non-vulnerable version of log4j. The Flyway CLI does not use log4j.

Redgate's business systems

Redgate conducted an assessment of its business systems on 10th December 2021.

A small number of our systems were found to be potentially vulnerable; we undertook remediation of these systems through 11th December 2021.

We found no evidence of malicious activity prior to remediation.

Update 2021-12-17

Following the disclosure of additional CVE-2021-45046 and further mitigations required for log4j 2.15.0, we have re-assesed our infrastructure and upgraded to log4j 2.16.0 or removed the JndiLookup class as appropriate. We do not rely on earlier mitigations using log4j2.formatMsgNoLookups.