Firebird: Jaybird is not directly vulnerable to the Log4j CVEs

Jaybird is not directly vulnerable to the Log4j CVEs

Mark Rotteveel, the developer of Firebird JDBC driver Jaybird, has confirmed, that Jaybird does not depend on Log4j 2

Jaybird itself does not depend on Log4j 2.x, and as such is not directly affected by the recent Log4j 2 CVEs (but do check "Indirect risks" below).

Jaybird 3 and higher by default use java.util.logging to log information. Jaybird 2.2 and earlier (all end-of-life) have an *optional* dependency on Log4j 1.x (which is not affected by the recent CVEs). This is only used when explicitly included on the classpath, and enabled using the system property FBLog4j or org.firebirdsql.jdbc.useLog4j[1]. This option was removed in Jaybird 3.

Indirect risks

If you're redirecting logging to Log4j 2 (e.g. from java.util.logging, or using a custom implementation of org.firebirdsql.logging.Logger), you may be vulnerable. If your applications are using Log4j 2, please make
sure to update to Log4j 2.17.0.

Share With:

PREVIOUS NEWS

Firebird-driver 1.4.0 released

NEXT NEWS

Jaybird is not directly vulnerable to the Log4j CVEs

Mark Rotteveel, the developer of Firebird JDBC driver Jaybird, has confirmed, that Jaybird does not depend on Log4j 2

Indirect risks

Firebird-driver 1.4.0 released

Jaybird 6.0.0-beta-1 available for testing

Popular

All Reference Manuals

Firebird 5.0

Firebird Performance Webinar (26-NOV-2024)

Firebird Roadmap

Support Firebird