Описание
Apache Log4j Remote Code Execution Vulnerability
Certain versions of Apache Log4j2 are vulnerable to a remote code execution vulnerability. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Microsoft is not aware of any impact to the security of our enterprise services and has not experienced any degradation in the reliability or availability of those services as a result of this vulnerability.
The Microsoft services detailed in the Security Updates table require customers to take action by downloading and installing security updates to mitigate the risks posed by this vulnerability on their deployments. Other Microsoft services require customers to apply configuration changes to mitigate the risks. These are listed in the MSRC blog:
- MSRC Blog: Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 – Microsoft Security Response Center
Additional information can be found in the Security Product Blog:
- Security Product Blog: Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation - Microsoft Security Blog
Recommended Actions
The Microsoft services detailed in the Security Updates table require customers to take action by downloading and installing security updates to mitigate the risks posed by this vulnerability on their deployments. If we identify additional services which require customers to take action, we will notify them via Azure Service Health Notifications. If you are using any Microsoft services other than those explicitly listed there is no action required by you at this time.
How to get notified of updates to this CVE
If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Azure Spring Cloud | ||
| Microsoft Defender for IoT | ||
| Cosmos DB Kafka Connector | ||
| Events Hub Extension | ||
| Minecraft Java Edition | ||
| Azure Arc-enabled Data Services | - | |
| Azure Databricks | - | |
| Azure VMware Solution | - | |
| SQL Server 2019 Big Data Clusters | - | |
| Team Foundation Server | - |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
DOS
EPSS
Связанные уязвимости
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2. ...
EPSS