Confirming - No Embedded Log4J

(1) By Doug B (dabrink2) on 2021-12-13 23:48:02 [link] [source]

I realize this is a relatively silly question for a C library, but given I've seen some crazy library scenarios play out in the past - would like to have some backing from some experts confirming that there is no embedded log4j anywhere in SQLite - correct?

(2) By Richard Hipp (drh) on 2021-12-14 00:01:27 in reply to 1 [link] [source]

Yes, you are correct, that is a silly question. No there is no log4j in SQLite. In fact, I'd never even heard of log4j before last week.

(4) By Richard Hipp (drh) on 2021-12-14 02:20:03 in reply to 2 [source]

To reiterate, SQLite does not use any third-party libraries. It uses only standard C-library interfaces for everything. Everything is written from scratch using C. There is no Java anywhere in SQLite.

Having now read up on log4shell, I checked the server logs for the SQLite website and I see that since I last rotated the logs (4 days ago) we have had 234 HTTP requests, from 33 distinct IP addresses, that have the text "jndi:ldap" either in the query string or in the user-agent string. But the SQLite website does not use log4j or any other java, and in fact runs inside a minimally provisioned chroot jail from which it is not possible to run JNDI or create a socket even if it wanted to. So the SQLite website, and this forum, appear to be safe.

(3) By Larry Brasfield (larrybr) on 2021-12-14 00:01:56 in reply to 1 [link] [source]

The SQLite library depends on the C library and the OS, and with certain build options, on the zlib compression library. And that's it for dependencies. If it relied on any Java libraries (and hence on a JVM), it would be much slower and the 'Lite' part of its name would draw derision rather than appreciation.