Search code examples
ssislog4jvisual-studio-2019

Visual Studio 2019 SSIS-Extension log4j files

Due to the recent problems with log4j I was checking all my code etc.. While doing so i discovered two files named

"slf4j-log4j12-1.7.5.jar" and "log4j-1.2.17.jar"

to find under

"...\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\SSIS\150\Extensions\Common\Jars"

Since we are also developing SSIS packages we kinda rely on this extension. Sadly I was not able to find anything about SSIS in context with log4j. IMO it's also a bit dubious that the version of the log4j seems to be 1.x, which support ended in 2015.

Are there any known fixes/updates?

Solution

  • This is not a problem.

    In what way those .jar file can be exploited to trig a privilege escalation or software evasion?

    The fact that Visual Studio is using old libraries doesn't shock me at all. Large companies are use to rely on third party library and then they are usually forbidden in the corner during years.

    EDIT:

    You question was somehow interesting and I needed to dig further.

    Apparently this 0-day has been around since March, so it means 9 month ago. There is no evidence of mass exploitation but that doesn't mean that it hasn't been used in the past months.

    In order to use it:

    [...] an attacker only needs to get the system to log a strategically crafted string of code. From there they can load arbitrary code on the targeted server and install malware or launch other attacks. Notably, hackers can introduce the snippet in seemingly benign ways, like by sending the string in an email or setting it as an account username.

    This means that hypothetically you can exploit the vulnerability through SSIS in this scenario:

    1. Create an SSIS package that ask for an input to the client user
    2. The package must use log4j for logging
    3. The user enter the malicious crafted string of code

    ...then yes in this case an SSIS package could be exploited.

    I will try it out in my spare time and I will let you know.

    EDIT 2:

    After extensive research I can confirm you that this is not a problem because only version Log4j 2.X are impacted:

    Mitigation

    Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.

    Log4j 2.x mitigation: Implement one of the mitigation techniques below.

    Use log4j-finder developed by FOX IT to enumerate vulnerable log4j files on your machines.