Visual Studio 2019 SSIS-Extension log4j files

Yama

Due to the recent problems with log4j I was checking all my code etc.. While doing so i discovered two files named

"slf4j-log4j12-1.7.5.jar" and "log4j-1.2.17.jar"

to find under

"...\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\SSIS\150\Extensions\Common\Jars"

Since we are also developing SSIS packages we kinda rely on this extension. Sadly I was not able to find anything about SSIS in context with log4j. IMO it's also a bit dubious that the version of the log4j seems to be 1.x, which support ended in 2015.

Are there any known fixes/updates?

Francesco Mantovani

This is not a problem.

In what way those .jar file can be exploited to trig a privilege escalation or software evasion?

The fact that Visual Studio is using old libraries doesn't shock me at all. Large companies are use to rely on third party library and then they are usually forbidden in the corner during years.

EDIT:

You question was somehow interesting and I needed to dig further.

Apparently this 0-day has been around since March, so it means 9 month ago. There is no evidence of mass exploitation but that doesn't mean that it hasn't been used in the past months.

In order to use it:

[...] an attacker only needs to get the system to log a strategically crafted string of code. From there they can load arbitrary code on the targeted server and install malware or launch other attacks. Notably, hackers can introduce the snippet in seemingly benign ways, like by sending the string in an email or setting it as an account username.

This means that hypothetically you can exploit the vulnerability through SSIS in this scenario:

  1. Create an SSIS package that ask for an input to the client user
  2. The package must use log4j for logging
  3. The user enter the malicious crafted string of code

...then yes in this case an SSIS package could be exploited.

I will try it out in my spare time and I will let you know.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at
0

Comments

0 comments
Login to comment

Related

How to create visual studio extension for .cshtml files?

How adapt extension to Visual Studio 2019?

Generate the EDMX backing files in Visual Studio 2019

Generate graph of include files in Visual Studio Community 2019

Visual Studio 2019 - Use PowerShell to open files instead of Solution Explorer

Why is my SSIS toolbox empty in Visual Studio 2019 community?

Automatic include files in folder in Visual Studio 2019 project

Unable to download any Microsoft Visual Studio 2019 Extension

How to enable ESLint for TypeScript files in Visual Studio 2019?

Porting WinDbg plugin to Visual Studio 2019 extension

Visual studio 2019 - Publish to a folder does not publish all files

GDAL Library Header Files Error and Warningsin With Visual Studio 2019

Visual Studio 2019 - Set a default extension for a file type

Visual Studio 2019 New Project does not include SSIS, whcih is installed

Are there any Visual Studio 2019 extensions for Unity .shader files?

Get 80040153 error with Visual Studio 2019 SSIS project when targeting SQLServer 2019

Visual Studio community 2019 cannot add cpp files to project

Hybris: How to create separate log4j log files in the same extension

Can I install "JSON Viewer" extension for Visual Studio 2019?

Edit Xaml files on debuging Visual studio 2019, WPF

Visual Studio 2019 not picking up CS generated files

Linking multiple files with MASM and Visual Studio 2019

Visual Studio 2019 Extension That Shows Errors inside the Code Editor

Visual Studio 2019 is not running other .cpp files

Visual Studio 2019 is not detected by Github extension

This version of Visual Studio is unable to open the following projects SSIS VS 2019

Visual Studio 2019 - Cannot add Custom Pipeline Object to Toolbox SSIS

SSIS Extension for Visual Studio 2022

DotVVM extension install errors on Visual Studio 2019

TOP Ranking

HotTag

Archive