-
Title
Log4j Vulnerability CVE-2021-44228 -
Description
Are Toad products affected by the Log4j vulnerability CVE-2021-44228? -
Resolution
Toad for Oracle:
Toad for Oracle does not use Log4j. Therefore this vulnerability does not affect the product.
Toad for Oracle uses OraLDAPClntNN.dll (where NN is oracle version number like 12, 18, 19, etc)
It's unclear if Oracle LDAP client this uses Log4j, but believe this is not the case.Some more information about the exploit:
"An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled"
Toad doesn't use any log message lookup substitution. The only messages we get from LDAP are numeric error codes, and Toad does not use any lookup substitution on them, or anything else.
Toad Edge:
Toad Edge doesn't use Log4j 2, but does use Log4 1.2.17
The range for this particular security vulnerability (CVE-2021-44228) is Log 4j 2.x to Log4j 2.15.0-rc1
Also, Toad Edge is not a server based application. The attack needs to happen over HTTP(S) requests.
Unaffected products:Toad for Oracle
Toad for Oracle Editions
Toad for SQL Server
Toad for DB2
Toad for SAP
Toad for Data Point
Toad Intelligence Central
Toad Data Modeler
Toad Edge
SQL Navigator
SQL Optimizer for Oracle
SQL Optimizer for SQL Server
SQL Optimizer for DB2 LUW
SQL Optimizer for DB2 ZOS
SQL Optimizer for SAP
Benchmark Factory for Databases
Code Tester for Oracle
Toad DevOps Toolkit
Spotlight on Oracle
Spotlight on SAP
Spotlight on DB2 LUW