Re: Inquiry about log4j

Hi David,

pgAdmin4 does not use log4j.

On Thu, Dec 16, 2021 at 4:13 PM IT-Security BCM (OEGK-14) <
it-security(at)oegk(dot)at> wrote:

> Dear Toshniwal,
>
>
>
> as you probably are aware, the java-logging-framework log4j is subject to
> a rce vulnerability. Therefor I would like to inquire if pgadmin 4 is using
> the log4j library.
>
>
>
> Kind regards,
>
> David Glaser
>
>
>
> [image: Logo_Mailsignatur]
>
> *David Glaser, BSc*
> Informationstechnologie
>
> Business Continuity Management
>
>
> Gruberstraße 77
>
> 4021 Linz
>
> Tel. +43 5 0766-14102753
>
> Mobil +43 664 811 5979
> *david(dot)glaser(at)oegk(dot)at <david(dot)glaser(at)oegk(dot)at>*
> *www.gesundheitskasse.at*
> <https://www.gesundheitskasse.at/cdscontent/?contentid=10007.813892&portal=oegkportal>
>
>
>
> Informationen nach Art. 13 und 14 Datenschutz-Grundverordnung betreffend
> die Verarbeitung Ihrer personenbezogenen Daten finden Sie auf unserer
> Website unter www.gesundheitskasse.at/datenschutz.
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc>
> Gesendet: Donnerstag, 16. Dezember 2021 10:45
> An: IT-Security BCM (OEGK-14) <it-security(at)oegk(dot)at>;
> security(at)postgresql(dot)org
> Betreff: Re: Inquiry about log4j
>
>
>
> Hi David!
>
>
>
> First: This email address is for reporting security vulnerabilities for
> PostgreSQL per https://www.postgresql.org/support/security/.
>
> However given the widespread impact of CVE-2021-44228 we can certainly
> tell you that PostgreSQL itself is not vulnerable to this CVE due to being
> primarily written in C.
>
>
>
> For the two other projects you mentioned you should contact the relevant
> authors or developers individually to get a definitive answer:
>
>
>
> https://www.postgresql.org/list/pgsql-odbc/ might be a good place for
> pgsql-odbc and https://www.pgadmin.org/support/ for pgadmin 4
>
>
>
> However given the fact that pgsql-odbc is also written in C and pgadmin
>
> 4 is python I would not expect any log4j dependencies there.
>
>
>
>
>
>
>
>
>
> regards
>
>
>
> Stefan
>
>
>
>
>
>
>
>
>
>
>
>
>
> On 16.12.21 09:00, IT-Security BCM (OEGK-14) wrote:
>
> > Dear Sirs and Madams,
>
> >
>
> > as you probably are aware, the java-logging-framework log4j is subject
>
> > to a rce vulnerability (CVE-2021-45046
>
> > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>).
>
> >
>
> > I would like to inquire if either postgresql, pgadmin or the psqlodbc
>
> > driver are using the log4j framework and vulnerable to the exploit. If
>
> > they are, information regarding:
>
> >
>
> > -the used version of the framework
>
> >
>
> > -mitigations or patches (if not, when can availability of those be
> expected)
>
> >
>
> > would be very helpful.
>
> >
>
> > Kind regards,
>
> >
>
> > David Glaser
>
> >
>
> > Logo_Mailsignatur
>
> >
>
> > *David Glaser, BSc*
>
> > Informationstechnologie
>
> >
>
> > Business Continuity Management
>
> >
>
> >
>
> > Gruberstraße 77
>
> >
>
> > 4021 Linz
>
> >
>
> > Tel. +43 5 0766-14102753
>
> >
>
> > Mobil +43 664 811 5979
>
> > *david(dot)glaser(at)oegk(dot)at <mailto:david(dot)glaser(at)oegk(dot)at
> <david(dot)glaser(at)oegk(dot)at>>*
>
> > *www.gesundheitskasse.at*
>
> > <
> https://www.gesundheitskasse.at/cdscontent/?contentid=10007.813892&portal=oegkportal
> >
>
> >
>
> > Informationen nach Art. 13 und 14 Datenschutz-Grundverordnung betreffend
>
> > die Verarbeitung Ihrer personenbezogenen Daten finden Sie auf unserer
>
> > Website unter www.gesundheitskasse.at/datenschutz
>
> > <http://www.gesundheitskasse.at/datenschutz>.
>
> >
>
>
>

--
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Software Architect | *edbpostgres.com*
<http://edbpostgres.com>
"Don't Complain about Heat, Plant a TREE"