Back to board Open MSRC
MSRC compact vulnerability detail

CVE-2021-44228 · Apache Log4j Remote Code Execution Vulnerability

Certain versions of Apache Log4j2 are vulnerable to a remote code execution vulnerability. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Microsoft is not aware of any impact to the security of our enterprise services and has not experienced any degradation in the reliability or availability of those services as a result of this vulnerability. The Microsoft services detailed in the Security Updates table require customers to take action by downloading and installing security updates to mitigate the risks posed by this vulnerability on their deployments. Other Microsoft services require customers to apply configuration changes to mitigate the risks. These are listed in the MSRC blog: MSRC Blog: Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 – Microsoft Security Response Center Additional information can be found in the Security Product Blog: Security Product Blog: Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation - Microsoft Security Blog Recommended Actions The Microsoft services detailed in the Security Updates table req...

Severity
n/a
Impact
n/a
CVSS
n/a base · n/a temporal
Release
2021-12-16
Signals
Apache Log4j2 Unknown impact Exploited: Yes Publicly disclosed: Yes Exploitability: n/a
CWE
No CWE data published.
Patch Diff
Loading module diff metadata...
Resolved binary override
Use this when the MSRC module name cannot be mapped automatically or the resolved binary looks wrong.
Old version New version
Description
Certain versions of Apache Log4j2 are vulnerable to a remote code execution vulnerability. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Microsoft is not aware of any impact to the security of our enterprise services and has not experienced any degradation in the reliability or availability of those services as a result of this vulnerability. The Microsoft services detailed in the Security Updates table require customers to take action by downloading and installing security updates to mitigate the risks posed by this vulnerability on their deployments. Other Microsoft services require customers to apply configuration changes to mitigate the risks. These are listed in the MSRC blog: MSRC Blog: Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 – Microsoft Security Response Center Additional information can be found in the Security Product Blog: Security Product Blog: Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation - Microsoft Security Blog Recommended Actions The Microsoft services detailed in the Security Updates table req...
FAQ / Articles
No FAQ or article content was published.