Lately, we have received many requests about a dangerous bug in the Log4j library, and we hasten to reassure you: None of DBeaver products use log4j for any program needs. It is entirely safe to use the latest DBeaver versions.
A few days ago, it became known about a dangerous Log4Shell vulnerability in the Log4j logging tool, which is distributed in the form of a library along with the Apache Logging Project. The issue with log4j is applicable for server applications that receive HTTP requests, not for desktop applications such as DBeaver. You can find more information about the vulnerability here.
A few additional notes:
- Our previous versions, namely 7.1, 7.2, and 7.3 Enterprise Edition, contained the log4j library as an optional external dependency.
- Versions from 7.3 to 21.2 used a version of AWS Redshift driver, which came with log4j as a dependency. Since it’s a JDBC driver, it cannot be used for external attacks.
- Also, there is an ant-apache-log4j.jar library in commercial versions of DBeaver. This jar file does not contain log4j. It’s an adapter from the Ant tool.