cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
hbd
Regular Visitor

log4j vulnerability

‎12-13-2021 04:19 AM

In \Program Files (x86)\Power Automate Desktop\java-support\PAD.JavaBridge.jar, log4j 2.12.1 is used which is vulnerable with https://www.cvedetails.com/cve/CVE-2021-44228/ . @microsoft any plan for updating it?

Labels:
Message 1 of 13
5,126 Views
1 ACCEPTED SOLUTION

Accepted Solutions
kostasc
Microsoft
Microsoft

‎12-22-2021 12:58 AM

Hey everyone,

Log4j has been completely removed from Power Automate for Desktop in the latest release (2.15.284).

View solution in original post

Message 13 of 13
3,200 Views
12 REPLIES 12
NikosMoutzou
Microsoft
Microsoft

‎12-14-2021 02:23 AM
Regarding the CVE-2021-44228 log4j vulnerability (CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and othe...), Power Automate for desktop does not use the log4j component since it is built on the .NET Framework, and not Java. The vulnerability has to do with services using this specific component for logging. While Power Automate for desktop is using it only for Java automation (automation of Java apps), and since it is not a service, it is not impacted. In any case, the latest version of Power Automate for desktop (to be released today Dec 14th) uses the latest log4j version that fixes this issue.
Message 2 of 13
5,082 Views
hbd
Regular Visitor
In response to NikosMoutzou

‎12-14-2021 04:56 AM

I rather disagree. Since this file In \Program Files (x86)\Power Automate Desktop\java-support\PAD.JavaBridge.jar uses log4j 2.12.1 and it's owned by Microsoft, whoever using this service is vulnerable hence need to be updated by MS as the end-user doesn't own the code.

Message 3 of 13
5,076 Views
NikosMoutzou
Microsoft
Microsoft

‎12-15-2021 08:15 AM

Hello @hbd .

 

Please note that in the case of Power Automate for desktop, an attacker should initially get access to the specific machine, gain the necessary rights in order to be able to install a java application in this machine and then he/she would be able to take advantage of this vulnerability.

 

Also, today, 12/15/2021, Microsoft has released a QFE version of Power Automate for desktop which uses the newest version of log4j, with the vulnerability resolved. The newest Power Automate for desktop version can be downloaded from all the default links.

Message 4 of 13
4,750 Views
hbd
Regular Visitor
In response to NikosMoutzou

‎12-15-2021 08:46 AM

Yes, I have found that in the jar file with today's release, however 2.15 is still prone and Apache release 2.16 now. https://www.theregister.com/2021/12/14/apache_log4j_2_16_jndi_disabled/

<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j</artifactId>
<version>2.15.0</version>
<relativePath>../</relativePath>

Message 5 of 13
4,732 Views
0 Kudos
Norro
Frequent Visitor
In response to NikosMoutzou

‎12-16-2021 06:59 AM

Can you specify which version number has been fixed? I can't see any patch notes mentioning this vulnerability to be sure we have a safe version.

If a customer has already setup automation of a java app which has been attacked this vulnerable class can trigger code just by parsing the logs even if the app itself is secure.

Message 6 of 13
4,395 Views
0 Kudos
hbd
Regular Visitor

‎12-16-2021 07:21 AM

https://nvd.nist.gov/vuln/detail/CVE-2021-45046 This talks about log4j 2.15 is incomplete and 2.16 is required. PAD yesterday's release was using 2.15. 

Message 7 of 13
4,375 Views
0 Kudos
hbd
Regular Visitor

‎12-16-2021 07:50 AM

The latest release of PAD has fixed the log4j issue.

hbd_0-1639669779639.png

 

PAD version

hbd_1-1639669800591.png

 

 

Message 8 of 13
4,364 Views
0 Kudos
hbd
Regular Visitor

‎12-20-2021 02:04 AM

Now log4j 2.17 is fixing DoS. 

https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html

 

  • CVE-2021-44228 (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
  • CVE-2021-45046 (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
  • CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
  • CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)
Message 9 of 13
3,796 Views
0 Kudos
kostasc
Microsoft
Microsoft
In response to hbd

‎12-20-2021 04:09 AM

Hey @hbd 

We are currently working on addressing this issue and a fix should be available soon.

Message 10 of 13
3,757 Views
PatBerger
New Member
In response to kostasc

‎12-21-2021 01:31 PM

HI kostasc,

 

Any update on this? We have a few customers that use PDA and we'd like to be able to tell them that it has been patched.

 

Regards,

Pat

Message 11 of 13
3,294 Views
0 Kudos
ChrisSchulz
New Member
In response to kostasc

‎12-21-2021 04:28 PM

Following. Is there a Microsoft statement somewhere we can refer to?

Message 12 of 13
3,267 Views
0 Kudos
kostasc
Microsoft
Microsoft

‎12-22-2021 12:58 AM

Hey everyone,

Log4j has been completely removed from Power Automate for Desktop in the latest release (2.15.284).
Message 13 of 13
3,201 Views

Helpful resources

Announcements
MPA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

Learn to digitize and optimize business processes and connect all your applications to share data in real time.

New Process Advisor Capabilities carousel.png

Read the blog for the latest news

Read the latest about new experiences and capabilities in the Power Automate product blog.

PA Survey Carousel Image.png

We want to hear from you!

If you are a small business ISV/Reseller, share your thoughts with our research team.

AI Builder AMA June 7th carousel (up on May 25th, take down June 8th) (1).png

'Ask Microsoft Anything' about AI Builder!

The AI Builder team invite you to ask questions and provide helpful answers at our next AMA.

View All
Users online (1,625)