cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
hbd
Regular Visitor

log4j vulnerability

In \Program Files (x86)\Power Automate Desktop\java-support\PAD.JavaBridge.jar, log4j 2.12.1 is used which is vulnerable with https://www.cvedetails.com/cve/CVE-2021-44228/ . @microsoft any plan for updating it?

1 ACCEPTED SOLUTION

Accepted Solutions
kostasc
Microsoft
Microsoft

Hey everyone,

Log4j has been completely removed from Power Automate for Desktop in the latest release (2.15.284).

View solution in original post

12 REPLIES 12
NikosMoutzou
Microsoft
Microsoft

Regarding the CVE-2021-44228 log4j vulnerability (CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and othe...), Power Automate for desktop does not use the log4j component since it is built on the .NET Framework, and not Java. The vulnerability has to do with services using this specific component for logging. While Power Automate for desktop is using it only for Java automation (automation of Java apps), and since it is not a service, it is not impacted. In any case, the latest version of Power Automate for desktop (to be released today Dec 14th) uses the latest log4j version that fixes this issue.

I rather disagree. Since this file In \Program Files (x86)\Power Automate Desktop\java-support\PAD.JavaBridge.jar uses log4j 2.12.1 and it's owned by Microsoft, whoever using this service is vulnerable hence need to be updated by MS as the end-user doesn't own the code.

NikosMoutzou
Microsoft
Microsoft

Hello @hbd .

 

Please note that in the case of Power Automate for desktop, an attacker should initially get access to the specific machine, gain the necessary rights in order to be able to install a java application in this machine and then he/she would be able to take advantage of this vulnerability.

 

Also, today, 12/15/2021, Microsoft has released a QFE version of Power Automate for desktop which uses the newest version of log4j, with the vulnerability resolved. The newest Power Automate for desktop version can be downloaded from all the default links.

Yes, I have found that in the jar file with today's release, however 2.15 is still prone and Apache release 2.16 now. https://www.theregister.com/2021/12/14/apache_log4j_2_16_jndi_disabled/

<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j</artifactId>
<version>2.15.0</version>
<relativePath>../</relativePath>

Can you specify which version number has been fixed? I can't see any patch notes mentioning this vulnerability to be sure we have a safe version.

If a customer has already setup automation of a java app which has been attacked this vulnerable class can trigger code just by parsing the logs even if the app itself is secure.

hbd
Regular Visitor

https://nvd.nist.gov/vuln/detail/CVE-2021-45046 This talks about log4j 2.15 is incomplete and 2.16 is required. PAD yesterday's release was using 2.15. 

hbd
Regular Visitor

The latest release of PAD has fixed the log4j issue.

hbd_0-1639669779639.png

 

PAD version

hbd_1-1639669800591.png

 

 

hbd
Regular Visitor

Now log4j 2.17 is fixing DoS. 

https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html

 

  • CVE-2021-44228 (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
  • CVE-2021-45046 (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
  • CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
  • CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)

Hey @hbd 

We are currently working on addressing this issue and a fix should be available soon.

HI kostasc,

 

Any update on this? We have a few customers that use PDA and we'd like to be able to tell them that it has been patched.

 

Regards,

Pat

Following. Is there a Microsoft statement somewhere we can refer to?

kostasc
Microsoft
Microsoft

Hey everyone,

Log4j has been completely removed from Power Automate for Desktop in the latest release (2.15.284).

Helpful resources

Announcements
MPA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

Learn to digitize and optimize business processes and connect all your applications to share data in real time.

Power automate tips 768x460 v2.png

Restore a Deleted Flow

Did you know that you could restore a deleted flow? Check out this helpful article.

Microsoft Build 768x460.png

Microsoft Build is May 24-26. Have you registered yet?

Come together to explore latest innovations in code and application development—and gain insights from experts from around the world.

May UG Leader Call Carousel 768x460.png

What difference can a User Group make for you?

At the monthly call, connect with other leaders and find out how community makes your experience even better.

Users online (2,985)