Postgres Pro
Downloads
Home   >   mailing lists

Re: Inquiry about log4j - Mailing list pgadmin-support

From Aditya Toshniwal
Subject Re: Inquiry about log4j
Date
Msg-id CAM9w-_kC8YO9O5UTe5wezzPQYqD9gzrUb_F4UBy47BvDmcU-Aw@mail.gmail.com
Whole thread Raw
List pgadmin-support
Tree view
Hi David,

pgAdmin4 does not use log4j.

On Thu, Dec 16, 2021 at 4:13 PM IT-Security BCM (OEGK-14) <it-security@oegk.at> wrote:

Dear Toshniwal,

 

as you probably are aware, the java-logging-framework log4j is subject to a rce vulnerability. Therefor I would like to inquire if pgadmin 4 is using the log4j library.

 

Kind regards,

David Glaser

 

Logo_Mailsignatur

David Glaser, BSc
Informationstechnologie

Business Continuity Management


Gruberstraße 77

4021 Linz

Tel. +43 5 0766-14102753

Mobil +43 664 811 5979
david.glaser@oegk.at
www.gesundheitskasse.at

 

Informationen nach Art. 13 und 14 Datenschutz-Grundverordnung betreffend die Verarbeitung Ihrer personenbezogenen Daten finden Sie auf unserer Website unter www.gesundheitskasse.at/datenschutz.

 

-----Ursprüngliche Nachricht-----
Von: Stefan Kaltenbrunner <stefan@kaltenbrunner.cc>
Gesendet: Donnerstag, 16. Dezember 2021 10:45
An: IT-Security BCM (OEGK-14) <it-security@oegk.at>; security@postgresql.org
Betreff: Re: Inquiry about log4j

 

Hi David!

 

First: This email address is for reporting security vulnerabilities for PostgreSQL per https://www.postgresql.org/support/security/.

However given the widespread impact of CVE-2021-44228 we can certainly tell you that PostgreSQL itself is not vulnerable to this CVE due to being primarily written in C.

 

For the two other projects you mentioned you should contact the relevant authors or developers individually to get a definitive answer:

 

https://www.postgresql.org/list/pgsql-odbc/ might be a good place for pgsql-odbc and https://www.pgadmin.org/support/ for pgadmin 4

 

However given the fact that pgsql-odbc is also written in C and pgadmin

4 is python I would not expect any log4j dependencies there.

 

 

 

 

regards

 

Stefan

 

 

 

 

 

 

On 16.12.21 09:00, IT-Security BCM (OEGK-14) wrote:

> Dear Sirs and Madams,

>

> as you probably are aware, the java-logging-framework log4j is subject

> to a rce vulnerability (CVE-2021-45046

> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>).

>

> I would like to inquire if either postgresql, pgadmin or the psqlodbc

> driver are using the log4j framework and vulnerable to the exploit. If

> they are, information regarding:

>

> -the used version of the framework

>

> -mitigations or patches (if not, when can availability of those be expected)

>

> would be very helpful.

>

> Kind regards,

>

> David Glaser

>

> Logo_Mailsignatur

>

> *David Glaser, BSc*

> Informationstechnologie

>

> Business Continuity Management

>

>

> Gruberstraße 77

>

> 4021 Linz

>

> Tel. +43 5 0766-14102753

>

> Mobil +43 664 811 5979

> *david.glaser@oegk.at <mailto:david.glaser@oegk.at>*

> *www.gesundheitskasse.at*

> <https://www.gesundheitskasse.at/cdscontent/?contentid=10007.813892&portal=oegkportal>

>

> Informationen nach Art. 13 und 14 Datenschutz-Grundverordnung betreffend

> die Verarbeitung Ihrer personenbezogenen Daten finden Sie auf unserer

> Website unter www.gesundheitskasse.at/datenschutz

> <http://www.gesundheitskasse.at/datenschutz>.

>

 



--
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Software Architect | edbpostgres.com
"Don't Complain about Heat, Plant a TREE"
Attachment

pgadmin-support by date:

Previous
From: Didier Gasser-Morlay
Date:
Subject: Re: Browser Display issue
Next
From: Akshay Joshi
Date:
Subject: pgAdmin 4 v6.3 Released