cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
hbd
Regular Visitor

log4j vulnerability

In \Program Files (x86)\Power Automate Desktop\java-support\PAD.JavaBridge.jar, log4j 2.12.1 is used which is vulnerable with https://www.cvedetails.com/cve/CVE-2021-44228/ . @microsoft any plan for updating it?

1 ACCEPTED SOLUTION

Accepted Solutions
kostasc
Employee
Employee

Hey everyone,

Log4j has been completely removed from Power Automate for Desktop in the latest release (2.15.284).

View solution in original post

12 REPLIES 12
NikosMoutzou
Employee
Employee

Regarding the CVE-2021-44228 log4j vulnerability (CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and othe...), Power Automate for desktop does not use the log4j component since it is built on the .NET Framework, and not Java. The vulnerability has to do with services using this specific component for logging. While Power Automate for desktop is using it only for Java automation (automation of Java apps), and since it is not a service, it is not impacted. In any case, the latest version of Power Automate for desktop (to be released today Dec 14th) uses the latest log4j version that fixes this issue.

I rather disagree. Since this file In \Program Files (x86)\Power Automate Desktop\java-support\PAD.JavaBridge.jar uses log4j 2.12.1 and it's owned by Microsoft, whoever using this service is vulnerable hence need to be updated by MS as the end-user doesn't own the code.

NikosMoutzou
Employee
Employee

Hello @hbd .

 

Please note that in the case of Power Automate for desktop, an attacker should initially get access to the specific machine, gain the necessary rights in order to be able to install a java application in this machine and then he/she would be able to take advantage of this vulnerability.

 

Also, today, 12/15/2021, Microsoft has released a QFE version of Power Automate for desktop which uses the newest version of log4j, with the vulnerability resolved. The newest Power Automate for desktop version can be downloaded from all the default links.

Yes, I have found that in the jar file with today's release, however 2.15 is still prone and Apache release 2.16 now. https://www.theregister.com/2021/12/14/apache_log4j_2_16_jndi_disabled/

<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j</artifactId>
<version>2.15.0</version>
<relativePath>../</relativePath>

Can you specify which version number has been fixed? I can't see any patch notes mentioning this vulnerability to be sure we have a safe version.

If a customer has already setup automation of a java app which has been attacked this vulnerable class can trigger code just by parsing the logs even if the app itself is secure.

hbd
Regular Visitor

https://nvd.nist.gov/vuln/detail/CVE-2021-45046 This talks about log4j 2.15 is incomplete and 2.16 is required. PAD yesterday's release was using 2.15. 

hbd
Regular Visitor

The latest release of PAD has fixed the log4j issue.

hbd_0-1639669779639.png

 

PAD version

hbd_1-1639669800591.png

 

 

hbd
Regular Visitor

Now log4j 2.17 is fixing DoS. 

https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html

 

  • CVE-2021-44228 (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
  • CVE-2021-45046 (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
  • CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
  • CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)

Hey @hbd 

We are currently working on addressing this issue and a fix should be available soon.

HI kostasc,

 

Any update on this? We have a few customers that use PDA and we'd like to be able to tell them that it has been patched.

 

Regards,

Pat

Following. Is there a Microsoft statement somewhere we can refer to?

kostasc
Employee
Employee

Hey everyone,

Log4j has been completely removed from Power Automate for Desktop in the latest release (2.15.284).

Helpful resources

Announcements

Super User of the Month | Drew Poggemann

As part of a new monthly feature in the Community, we are excited to share that Drew Poggemann is our featured Super User for the month of February 2024. If you've been in the Community for a while, we're sure Drew's name is familiar to you, as he is one of our most active contributors--he's been a Super User for five consecutive seasons!   Since authoring his first reply 5 years ago to his 514th solution authored, Drew has helped countless Community members with his insights and expertise. In addition to being a Super User, Drew is also a User Group leader and a Microsoft MVP. His contributions to our Super User sessions and to the new SUIT program are always welcome--as well as his sense of humor and fun-loving way of sharing what he knows with others.   When Drew is not solving problems and authoring solutions, he's busy overseeing the Solution Architecture team at HBS, specializing in application architecture and business solution strategy--something he's been doing for over 30 years. We are grateful for Drew and the amazing way he has used his talent and skills to help so many others in the Community. If you are part of the SUIT program, you got to hear some great tips from Drew at the first SUIT session--and we know he still has much more to share!You can find him in the Community and on LinkedIn. Thank you for all you do, Drew!

Announcing Power Apps Copilot Cookbook Gallery

We are excited to share that the all-new Copilot Cookbook Gallery for Power Apps is now available in the Power Apps Community, full of tips and tricks on how to best use Microsoft Copilot as you develop and create in Power Apps. The new Copilot Cookbook is your go-to resource when you need inspiration--or when you're stuck--and aren't sure how to best partner with Copilot while creating apps.   Whether you're looking for the best prompts or just want to know about responsible AI use, visit Copilot Cookbook for regular updates you can rely on--while also serving up some of your greatest tips and tricks for the Community. Our team will be reviewing posts using the new "Copilot Studio" label to ensure we highlight and amplify the most relevant and recent content, so you're assured of high-quality content every time you visit. If you share a post that gets featured in the curated gallery, you'll get a PM in the Community to let you know!The curated gallery is ready for you to experience now, so visit the new Copilot Cookbook for Power Apps today: Copilot Cookbook - Power Platform Community. We can't wait to see what you "cook" up!    

Celebrating a New Season of Super Users with Charles Lamanna, CVP Microsoft Business Applications

February 8 was the kickoff to the 2024 Season One Super User program for Power Platform Communities, and we are thrilled to welcome back so many returning Super Users--as well as so many brand new Super Users who started their journey last fall. Our Community Super Users are the true heroes, answering questions, providing solutions, filtering spam, and so much more. The impact they make on the Communities each day is significant, and we wanted to do something special to welcome them at our first kickoff meeting of the year.   Charles Lamanna, Microsoft CVP of Business Applications, has stressed frequently how valuable our Community is to the growth and potential of Power Platform, and we are honored to share this message from him to our 2024 Season One Super Users--as well as anyone who might be interested in joining this elite group of Community members.     If you want to know more about Super Users, check out these posts for more information today:    Power Apps: What is A Super User? - Power Platform CommunityPower Automate: What is A Super User? - Power Platform Community Copilot Studio: What is A Super User? - Power Platform Community Power Pages: What is A Super User? - Power Platform Community

Super Users 2024 Season One is Here!

   We are excited to announce the first season of our 2024 Super Users is here! Our kickoff to the new year welcomes many returning Super Users and several new faces, and it's always exciting to see the impact these incredible individuals will have on the Community in 2024! We are so grateful for the daily difference they make in the Community already and know they will keep staying engaged and excited for all that will happen this year.   How to Spot a Super User in the Community:Have you ever written a post or asked for help in the Community and had it answered by a user with the Super User icon next to their name? It means you have found the actual, real-life superheroes of the Power Platform Community! Super Users are our heroes because of the way they consistently make a difference in the Community. Our amazing Super Users help keep the Community a safe place by flagging spam and letting the Community Managers know about issues. They also make the Community a great place to find answers, because they are often the first to offer solutions and get clarity on questions. Finally, Super Users share valuable insights on ways to keep the Community growing, engaging, and looking ahead!We are honored to reveal the new badges for this season of Super Users! Congratulations to all the new and returning Super Users!     To better answer the question "What is a Super User?" please check out this article: Power Apps: What is A Super User? - Power Platform CommunityPower Automate: What is A Super User? - Power Platform Community Copilot Studio: What is A Super User? - Power Platform Community Power Pages: What is A Super User? - Power Platform Community

Did You Attend the Microsoft Power Platform Conference in 2022 or 2023? Claim Your Badge Today!

If you were one of the thousands of people who joined us at the first #MPPC Microsoft Power Platform Conference in 2022 in Orlando--or attended the second-annual conference in Las Vegas in 2023--we are excited to honor you with a special community badge! Show your support for #MPPC Microsoft Power Platform Conference this year by claiming your badge!           Just follow this link to claim your badge for attending #MPPC in 2022 and/or 2023: MPPCBadgeRequest    Want to earn your badge for 2024? Just keep watching our News & Announcements for the latest updates on #MPPC24.

Microsoft Power Platform | 2024 Release Wave 1 Plan

Check out the latest Microsoft Power Platform release plans for 2024!   We have a whole host of exciting new features to help you be more productive, enhance delegation, run automated testing, build responsive pages, and so much more.    Click the links below to see not only our forthcoming releases, but to also try out some of the new features that have recently been released to market across:     Power Apps  Power Automate  Copilot Studio   We can’t wait to share with you all the upcoming releases that will help take your Power Platform experience to the next level!    Check out the entire Release Wave: Power Platform Complete Release Planner 

Top Solution Authors
Top Kudoed Authors
Users online (2,773)