|Title||Is Stata affected by the Log4j vulnerability (CVE-2021-44228 and subsequent CVE-2021-45046)?|
|Author||James Hassell, StataCorp|
Stata 15 and Stata 16 do not use Log4j and are not affected.
Stata 17's core features do not use Log4j. However, the experimental H2O feature does use Log4j. Stata 17 updated to 16 December 2021 includes a patched version of Log4j that mitigates the vulnerabilities described in the CVEs. Importantly, if you are not using h2o commands, the affected Log4j library will not be loaded by Stata even if your Stata is not updated.
On 14 December 2021, we released an update that included the then-latest H2O version, 220.127.116.11. H2O 18.104.22.168 incorporated Log4j 2.15 addressing CVE-2021-44228.
On 15 December 2021, it was reported that the fix addressing CVE-2021-44228 in Apache Log4j 2.15 was incomplete in certain non-default configurations, as described in CVE-2021-45046.
Subsequently, on 16 December 2021, we released another update to Stata 17 that includes H2O 22.214.171.124. H2O 126.96.36.199 uses the patched Log4j library, version 2.16, which addresses both CVE-2021-44228 and CVE-2021-45046.
The latest updates can be installed in Stata 17 by typing update all in the Stata Command window. A fully updated Stata 17 is not affected by the CVEs described in this FAQ.
If you are unable to update your Stata installation, the H2O library including the affected Log4j library can be removed from the Stata installation. You can safely delete <stata_installation_directory>/ado/base/jar/libstata-h2o.jar to remove any possibility of the library being loaded.