Skip to content

Azure DevOps & Azure DevOps server impacted by Log4j vulnerability

Microsoft confirmed yesterday that Azure DevOps server & Azure DevOps has been impacted by Log4j vulnerability. Azure DevOps uses elastic search and based on the investigation, Azure DevOps team decided to patch the Log4j version to the latest and also update the Web application firewall rules. It seems Log4j affects TFS2017 or later and Azure DevOps 2020 server as the product uses Elastic search. The team is currently working on the patches for all the TFS and Azure DevOps versions

Azure DevOps ProductStatusMitigation/Patch
Azure DevOpsAffectedFixed
Azure DevOps Server 2020AffectedNot yet Fixed
Azure DevOps Server 2019AffectedNot yet Fixed
TFS Server 2018Affected Not yet Fixed
TFS Server 2017Affected Not yet Fixed
. (Source :