Skip to content
This repository has been archived by the owner on Feb 2, 2023. It is now read-only.

Microsoft PowerAutomate Desktop 10.0.1770.0_x64 #397

Open
PersonalRobotJesus opened this issue Dec 27, 2021 · 2 comments
Open

Microsoft PowerAutomate Desktop 10.0.1770.0_x64 #397

PersonalRobotJesus opened this issue Dec 27, 2021 · 2 comments
Assignees
Labels
need info This issue or pull request requires further information

Comments

@PersonalRobotJesus
Copy link

PersonalRobotJesus commented Dec 27, 2021

  • Vendor: Microsoft

  • Product: PowerAutomate Desktop

  • Version: 10.0.1770.0_x64

  • Status: Unknown (disclosed to vendor, awaiting response from vendor)

  • Update Available: No

  • Notes: Vulnerability disclosed to vendor. Initially found using PowerShell script at https://github.com/CERTCC/CVE-2021-44228_scanner and confirmed by manually examining unpacked archive.

  • References: From pom.xml located in C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_10.0.1770.0_x64__8wekyb3d8bbwe\java-support pad.javabridge.jar:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <modelVersion>4.0.0</modelVersion> <parent> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j</artifactId> <version>2.12.1</version> <relativePath>../</relativePath> </parent> <artifactId>log4j-core</artifactId> <packaging>jar</packaging> <name>Apache Log4j Core</name> <description>The Apache Log4j Implementation</description> <properties> <log4jParentDir>${basedir}/..</log4jParentDir> <docLabel>Core Documentation</docLabel> <projectDir>/core</projectDir>

Archive contains contains org/apache/logging/log4j/core/lookup/JndiLookup.class

Official Vendor Statement re: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105

Official Vendor-provided mitigation actions (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-44228)

  • Last Updated: 1/1/2022
    :added links to vendor statements and mitigation pages
@LA100ti
Copy link
Collaborator

LA100ti commented Dec 29, 2021

@PersonalRobotJesus we would much appreciate if you can provide an official link to the vendor advisory or response to your disclosure. Thank you.

@justmurphy justmurphy added the need info This issue or pull request requires further information label Dec 29, 2021
@PersonalRobotJesus
Copy link
Author

@PersonalRobotJesus we would much appreciate if you can provide an official link to the vendor advisory or response to your disclosure. Thank you.

I have not received a reply from the vendor, but I will add a link to their official advisory page re: log4j vulnerabilities.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
need info This issue or pull request requires further information
Projects
None yet
Development

No branches or pull requests

3 participants