This month, we are releasing fixes that impact our self-hosted product, Azure DevOps Server.
The following version of the product has been patched.
Azure DevOps Server 2019.1.2 Patch 9
If you have Azure DevOps Server 2019.1.2, you should install Azure DevOps Server 2019.1.2 Patch 9.
- Streamline the deployment of agent and tasks updates from previous patches (Patch 5 and 6).
Verifying Installation
- Run
devops2019.1.2patch9.exe CheckInstall
,devops2019.1.2patch9.exe
is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.
Gloridel
I’m working within a DOD Azure environment. We are running DevOps 2019 – and are getting the log4J vulnerability for ElasticSearch (ACAS Scans).
I have read through the blurbs, but am not finding a solution. The only patch I found was for 2019.0.1 patch 12, but I’m not able to install this patch due to its version being so old.
I can’t find anything else on the web that can help. Looks like our DevOps is installed on another drive (not C:)
Is there any hope for fixing this? Please feel free to reach out to me directly!
Hi Shawn, I want to confirm the steps for addressing the vulnerability. You should follow the installation steps listed in the release notes starting with step number 2.
Hi Shawn, you will have to follow the steps listed in the release notes for Patch 12. Since patches are cumulative, you should be able to skip to step 2 in the install steps, but I want to confirm this with our engineering team. I am sending your question to them, and I will get back to you with details as soon I have them.
Initially they had this blog post which you could just go in and remove the log4j file which is what we had to do until they came out with the patch.
https://devblogs.microsoft.com/devops/azure-devops-and-azure-devops-server-and-the-log4j-vulnerability/
That post is from 2021 – Is there anything (patch?) I can use today to remediate? Is 2019.0.1 patch 12 the patch you are referring to, or is there something newer? Is there a way to force the ‘outdated/older’ patch (2019.0.1 patch 12)?
I really need to get this figured out. Any help would be appreciated!
Thanks in Advance
If you’re running 2019.0.1 you can upgrade to patch 16
https://learn.microsoft.com/en-us/azure/devops/server/release-notes/azuredevops2019?view=azure-devops
if you rrunning 2019.1.2 they’re up to patch 9
https://learn.microsoft.com/en-us/azure/devops/server/release-notes/azuredevops2019u1?view=azure-devops
If you can’t upgrade to either, you can edit the jar file manually and remove the log4j yourself as it doesn’t seem to be needed.