Mark Rotteveel, the developer of Firebird JDBC driver Jaybird, has confirmed, that Jaybird does not depend on Log4j 2
Jaybird itself does not depend on Log4j 2.x, and as such is not directly affected by the recent Log4j 2 CVEs (but do check "Indirect risks" below).
Jaybird 3 and higher by default use java.util.logging to log information.
Jaybird 2.2 and earlier (all end-of-life) have an *optional* dependency on Log4j 1.x (which is not affected by the recent CVEs). This is only used when explicitly included on the classpath, and enabled using the system property FBLog4j or org.firebirdsql.jdbc.useLog4j[1]. This option was removed in Jaybird 3.
Indirect risks
If you're redirecting logging to Log4j 2 (e.g. from java.util.logging, or using a custom implementation of org.firebirdsql.logging.Logger), you may be vulnerable. If your applications are using Log4j 2, please make
sure to update to Log4j 2.17.0.
Mark Rotteveel, the developer of Firebird JDBC driver Jaybird, has confirmed, that Jaybird does not depend on Log4j 2
Jaybird itself does not depend on Log4j 2.x, and as such is not directly affected by the recent Log4j 2 CVEs (but do check "Indirect risks" below).
Jaybird 3 and higher by default use java.util.logging to log information.
Jaybird 2.2 and earlier (all end-of-life) have an *optional* dependency on Log4j 1.x (which is not affected by the recent CVEs). This is only used when explicitly included on the classpath, and enabled using the system property FBLog4j or org.firebirdsql.jdbc.useLog4j[1]. This option was removed in Jaybird 3.
Indirect risks
If you're redirecting logging to Log4j 2 (e.g. from java.util.logging, or using a custom implementation of org.firebirdsql.logging.Logger), you may be vulnerable. If your applications are using Log4j 2, please make
sure to update to Log4j 2.17.0.
