A version of Azure DevOps Server with a reasonably recent, secure, and supported version of Elastic Search is coming soon.
Azure DevOps 2020 and 2019 (and 2018) patch for log4j vulnerability
Azure DevOps can be configured with advanced Code Search. That feature relies on Elastic Search. Depending on the age of your server, JVM version and Elastic Search version this may result in your setup being vulnerable to CVE-2021-44228.
Azure DevOps Server 2022
Microsoft finally will be releasing Azure DevOps Server 2022, which ships with Elastic Search 7.17.5:
Elastic Search 7.17.5 that ships with Azure DevOps Server 2022 RTW
This version no longer ships with patched jar files, but finally ships with the version of log4j that should be secure.
Upgrading
You won't be able to use this version of Elastic Search with an older version of Azure DevOps Server, the way to go is to perform the upgrade to 2022.
Need help?
In case you need help to prepare or perform an upgrade of your aging Team Foundation Server or Azure DevOps Server installation, don't hesitate to reach out.
Top comments (0)