Definitive solution for log4shell in Azure DevOps Server Search

Last year around this time the log4shell bug in log4j was made public. Older versions of Team Foundation Server and Azure DevOps Server ship with Elastic Search to power its advanced search features. The version that ships with these versions is quite old and was never truly fixed, only patched.

A version of Azure DevOps Server with a reasonably recent, secure, and supported version of Elastic Search is coming soon.

Azure DevOps 2020 and 2019 (and 2018) patch for log4j vulnerability
Azure DevOps can be configured with advanced Code Search. That feature relies on Elastic Search. Depending on the age of your server, JVM version and Elastic Search version this may result in your setup being vulnerable to CVE-2021-44228.

Azure DevOps Server 2022

Microsoft finally will be releasing Azure DevOps Server 2022, which ships with Elastic Search 7.17.5:

Elastic Search 7.17.5 that ships with Azure DevOps Server 2022 RTW

This version no longer ships with patched jar files, but finally ships with the version of log4j that should be secure.

Upgrading

You won't be able to use this version of Elastic Search with an older version of Azure DevOps Server, the way to go is to perform the upgrade to 2022.

Need help?

In case you need help to prepare or perform an upgrade of your aging Team Foundation Server or Azure DevOps Server installation, don't hesitate to reach out.

Leave a comment.