10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
Certain versions of Apache Log4j2 are vulnerable to a remote code execution vulnerability. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Microsoft is not aware of any impact to the security of our enterprise services and has not experienced any degradation in the reliability or availability of those services as a result of this vulnerability.
The Microsoft services detailed in the Security Updates table require customers to take action by downloading and installing security updates to mitigate the risks posed by this vulnerability on their deployments. Other Microsoft services require customers to apply configuration changes to mitigate the risks. These are listed in the MSRC blog:
Additional information can be found in the Security Product Blog:
The Microsoft services detailed in the Security Updates table require customers to take action by downloading and installing security updates to mitigate the risks posed by this vulnerability on their deployments. If we identify additional services which require customers to take action, we will notify them via Azure Service Health Notifications. If you are using any Microsoft services other than those explicitly listed there is no action required by you at this time.
If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%