A new Log4j vulnerability was disclosed the night between Dec 17 and 18 2021 by the Apache security team, and was given the ID of CVE-2021-45105.
According to the security advisory, which fixed the two previous vulnerabilities, is susceptible to a DoS attack caused by a Stack-Overflow in Context Lookups in the configuration file’s layout patterns.
Is it affecting SharePoint?
Microsoft continues the analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed this month.
Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the security of the enterprise services and has not experienced any degradation in availability of those services as a result of this vulnerability. Which means SharePoint is not affected by this vulnerability.
If you are using any Microsoft services other than those explicitly listed in the CVE, no action is required by you at this time. As we continue our investigation, we will notify affected parties if we identify any impact to customer data.
To help users protect themselves, Microsoft provided the following product specific guidance to help you improve the security of the MS services and products. Links are provided to jump to the content below: