On
Dec 10th an information about security vulnerability related to
Apache Log4j software surfaced on internet. The Apache Log4j is an open-source library
written in Java. It is used in many software packages based on JAVA for logging
purposes. Issue in brief is that an attacker who can control log messages or
log message parameters can execute arbitrary code when message lookup
substitution is enabled. The issue was identified in log4j2 version and fixed
in log4j 2.15.0 The vulnerability got its CVE (Common
Vulnerabilities and Exposures) code as CVE-2021-44228 (or CVE-2021-44228). The
CVE has a CVSS score of 10 - the most critical rating!
SAP
as many other software vendors around the world is following up on this issue. Assessment
whether and how the Log4j is used within the software is going on. In case the particular
software is affected by the vulnerability, the software vendor shall release
patch to fix it. At the time of writing this blog post SAP has released statement
where the software that is/is not/not know yet affected is listed. Particular SAP
Notes are listed in the statement so customers can follow up and implement
patches.
From
SAP Analytics solutions perspective there are SAP solutions that use the Log4j library.
Therefore, SAP customer should closely monitor (see links below) this topic and
take an action on software patching if they use any software that is identified
as impacted.
More
information:
SAP’s
Response to CVE-2021-44228 Apache Log4j 2
Search the SAP
Community for log4j
3129956 -
CVE-2021-44228 - BusinessObjects impact for Log4j vulnerability
3130994 -
CVE-2021-44228 - SAP Predictive Analytics impact for Log4j vulnerability
No comments:
Post a Comment