Apache Log4j Remote Code Execution Vulnerability

Certain versions of Apache Log4j2 are vulnerable to a remote code execution vulnerability. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Microsoft is not aware of any impact to the security of our enterprise services and has not experienced any degradation in the reliability or availability of those services as a result of this vulnerability.

The Microsoft services detailed in the Security Updates table require customers to take action by downloading and installing security updates to mitigate the risks posed by this vulnerability on their deployments. Other Microsoft services require customers to apply configuration changes to mitigate the risks. These are listed in the MSRC blog:

• MSRC Blog: Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 – Microsoft Security Response Center

Additional information can be found in the Security Product Blog:

• Security Product Blog: Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation - Microsoft Security Blog

Recommended Actions

The Microsoft services detailed in the Security Updates table require customers to take action by downloading and installing security updates to mitigate the risks posed by this vulnerability on their deployments. If we identify additional services which require customers to take action, we will notify them via Azure Service Health Notifications. If you are using any Microsoft services other than those explicitly listed there is no action required by you at this time.

How to get notified of updates to this CVE

If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.