SharePoint & Log4j - CRITICAL: Security Vulnerability

A new Log4j vulnerability was disclosed the night between Dec 17 and 18 2021 by the Apache security team, and was given the ID of CVE-2021-45105.

According to the security advisory, which fixed the two previous vulnerabilities, is susceptible to a DoS attack caused by a Stack-Overflow in Context Lookups in the configuration file’s layout patterns.

Is it affecting SharePoint?

Microsoft continues the analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed this month. 

Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the security of the enterprise services and has not experienced any degradation in availability of those services as a result of this vulnerability. Which means SharePoint is not affected by this vulnerability.

If you are using any Microsoft services other than those explicitly listed in the CVE, no action is required by you at this time. As we continue our investigation, we will notify affected parties if we identify any impact to customer data.

To help users protect themselves, Microsoft provided the following product specific guidance to help you improve the security of the MS services and products. Links are provided to jump to the content below:

Mitigation Guidance for Microsoft Services
Azure Arc-enabled Data Services
Azure App Service (Windows and Linux and Containers)
Azure Application Gateway, Azure Front Door, and Azure WAF 
Azure Databricks
Azure Functions
Azure HDInsights
Azure Spring Cloud
Cosmos DB SDKs
Cosmos DB Spring Connector
Cosmos DB Spark Connector
Microsoft Azure AD
Minecraft: Java Edition
SQL Server (on Windows) – all editions
SQL Server (on Linux) – all editions
SQL Server 2019 Big Data Clusters
SQL Server on Azure VM/IaaS
Information for Security Operations and Hunters

No Comments

Add a Comment

As it will appear on the website

Not displayed

Your website