»  Home »  Resources & support »  FAQs »  Is Stata affected by the Log4j vulnerability?

Is Stata affected by the Log4j vulnerability (CVE-2021-44228 and subsequent CVE-2021-45046)?

Title   Is Stata affected by the Log4j vulnerability (CVE-2021-44228 and subsequent CVE-2021-45046)?
Author James Hassell, StataCorp

This is in reference to CVE-2021-44228 and the subsequent CVE-2021-45046, which impact software that uses certain versions of Apache Log4j.

Stata 15 and Stata 16 do not use Log4j and are not affected.

Stata 17's core features do not use Log4j. However, the experimental H2O feature does use Log4j. Stata 17 updated to 16 December 2021 includes a patched version of Log4j that mitigates the vulnerabilities described in the CVEs. Importantly, if you are not using h2o commands, the affected Log4j library will not be loaded by Stata even if your Stata is not updated.

On 14 December 2021, we released an update that included the then-latest H2O version, H2O incorporated Log4j 2.15 addressing CVE-2021-44228.

On 15 December 2021, it was reported that the fix addressing CVE-2021-44228 in Apache Log4j 2.15 was incomplete in certain non-default configurations, as described in CVE-2021-45046.

Subsequently, on 16 December 2021, we released another update to Stata 17 that includes H2O H2O uses the patched Log4j library, version 2.16, which addresses both CVE-2021-44228 and CVE-2021-45046.

The latest updates can be installed in Stata 17 by typing update all in the Stata Command window. A fully updated Stata 17 is not affected by the CVEs described in this FAQ.

If you are unable to update your Stata installation, the H2O library including the affected Log4j library can be removed from the Stata installation. You can safely delete <stata_installation_directory>/ado/base/jar/libstata-h2o.jar to remove any possibility of the library being loaded.





The Stata Blog: Not Elsewhere Classified Find us on Facebook Follow us on Twitter LinkedIn YouTube Instagram
© Copyright 1996–2022 StataCorp LLC   •   Terms of use   •   Privacy   •   Contact us