2024 Stata Biostatistics and Epidemiology Virtual Symposium · 22 February
|Is Stata affected by the Log4j vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832)?
|James Hassell, StataCorp
Stata 15 and Stata 16 do not use Log4j and are not affected.
Stata 17's core features do not use Log4j. However, the experimental H2O feature does use Log4j. Stata 17 updated to 17 January 2022 includes a patched version of H2O that mitigates the vulnerabilities described in the CVEs. Importantly, if you are not using h2o commands, the affected Log4j library will not be loaded by Stata even if your Stata is not updated.
On 14 December 2021, we released an update that included the then-latest H2O version, 126.96.36.199. H2O 188.8.131.52 incorporated Log4j 2.15, addressing CVE-2021-44228.
On 15 December 2021, it was reported that the fix addressing CVE-2021-44228 in Apache Log4j 2.15 was incomplete in certain non-default configurations, as described in CVE-2021-45046.
On 16 December 2021, we released another update to Stata 17 that included H2O version 184.108.40.206. H2O 220.127.116.11 used the patched Log4j library version 2.16, addressing both CVE-2021-44228 and CVE-2021-45046.
On 17 January 2022, we released another update to Stata 17 that includes H2O version 18.104.22.168. H2O 22.214.171.124 uses the patched Log4j library version 2.17.1, which addresses both CVE-2021-45105 and CVE-2021-44832.
The latest updates can be installed in Stata 17 by typing update all in the Stata Command window. A fully updated Stata 17 is not affected by the CVEs described in this FAQ.
If you are unable to update your Stata installation, the H2O library including the affected Log4j library can be removed from the Stata installation. You can safely delete <stata_installation_directory>/ado/base/jar/libstata-h2o.jar to remove any possibility of the library being loaded.
Classroom and web training
Teaching with Stata
Statalist: The Stata Forum
Last updated: 16 November 2022
StataCorp LLC (StataCorp) strives to provide our users with exceptional products and services. To do so, we must collect personal information from you. This information is necessary to conduct business with our existing and potential customers. We collect and use this information only where we may legally do so. This policy explains what personal information we collect, how we use it, and what rights you have to that information.
These cookies are essential for our website to function and do not store any personally identifiable information. These cookies cannot be disabled.
Please note: Clearing your browser cookies at any time will undo preferences saved here. The option selected here will apply only to the device you are currently using.