|Title||Is Stata affected by the Log4j vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832)?|
|Author||James Hassell, StataCorp|
Stata 15 and Stata 16 do not use Log4j and are not affected.
Stata 17's core features do not use Log4j. However, the experimental H2O feature does use Log4j. Stata 17 updated to 17 January 2022 includes a patched version of H2O that mitigates the vulnerabilities described in the CVEs. Importantly, if you are not using h2o commands, the affected Log4j library will not be loaded by Stata even if your Stata is not updated.
On 14 December 2021, we released an update that included the then-latest H2O version, 188.8.131.52. H2O 184.108.40.206 incorporated Log4j 2.15, addressing CVE-2021-44228.
On 15 December 2021, it was reported that the fix addressing CVE-2021-44228 in Apache Log4j 2.15 was incomplete in certain non-default configurations, as described in CVE-2021-45046.
On 16 December 2021, we released another update to Stata 17 that included H2O version 220.127.116.11. H2O 18.104.22.168 used the patched Log4j library version 2.16, addressing both CVE-2021-44228 and CVE-2021-45046.
On 17 January 2022, we released another update to Stata 17 that includes H2O version 22.214.171.124. H2O 126.96.36.199 uses the patched Log4j library version 2.17.1, which addresses both CVE-2021-45105 and CVE-2021-44832.
The latest updates can be installed in Stata 17 by typing update all in the Stata Command window. A fully updated Stata 17 is not affected by the CVEs described in this FAQ.
If you are unable to update your Stata installation, the H2O library including the affected Log4j library can be removed from the Stata installation. You can safely delete <stata_installation_directory>/ado/base/jar/libstata-h2o.jar to remove any possibility of the library being loaded.