Updated: Azure DevOps (and Azure DevOps Server) and the log4j vulnerability

Gloridel Morales

Update: We released patches for Azure DevOps Server and TFS 2018.3.2 to include an upgraded version of Elasticsearch. Check out the blog post for details.

For the most part, Azure DevOps (and Azure DevOps Server) are built on .NET and do not use the Apache log4j library whose vulnerabilities (CVE-2021-44228, CVE-2021-45046, Microsoft security blog post) have been the focus of so much recent attention. The Search feature in both Azure DevOps and Azure DevOps Server does use this library, however, as part of its dependency on Elasticsearch.

Azure DevOps is not vulnerable. Even so, we are taking this opportunity to make additional improvements as part of our overall defense in depth strategy for the hosted service.

For Azure DevOps Server (and older versions of Team Foundation Server):

  • Installations without Search configured are not vulnerable and no action is required.
  • For Azure DevOps Server 2020, Azure DevOps Server 2019, and Team Foundation Server 2018 our recommendation is the same:

  • Upgrade the Java Virtual Machine on the server where the Search feature is installed to the latest release with the same major version (and then restart Elasticsearch).

  • Remove the JndiLookup class from the jar file (and then restart Elasticsearch). Most references to this online give a command that will work only on Linux. MVP Jesse Houwing has helpfully included commands that will work on Windows using 7-zip in his blog post here. They will be similar to: 7z.exe d log4j-core-.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

  • Team Foundation Server 2017 is not vulnerable to CVE-2021-44228 or CVE-2021-45046. It is, however, dependent on a version of Elasticsearch that is end-of-life from a support perspective. We recommend upgrading to a newer version of Team Foundation Server / Azure DevOps Server (documentation) or uninstalling the Search feature (documentation).

We are still exploring generation of patches to simplify this process, and will continue posting updates here as we learn more.

Additionally, the Linux versions of the Azure Pipelines agent include an older version of log4j as part of the Team Explorer Everywhere command line used to interact with Team Foundation Version Control. This version of log4j is not vulnerable to CVE-2021-44228 or CVE-2021-45046. It is end-of-life and includes other vulnerabilities, but we have previously confirmed that these vulnerabilities are not exploitable on Azure Pipelines agents. No action is required for users of Linux Azure Pipelines agents.

Last updated: 1/26/2022 @ 12:06 pm PST