cancel
Showing results for 
Search instead for 
Did you mean: 

Log4j security vulnerability with SAP Crystal Reports for .NET SDK

dave_smith2
Participant
40,968

We were just made aware of a severe vulnerability in the Java logging library Apache Log4j.

See the following article for more information:

https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-bei...

Is this library present and being used by the Crystal Reports runtime engine for .NET SDK (using v13.0.30.3805)? If so, what measures can we take to mitigate this vulnerability? Is SAP planning to issue some kind of patch?

Thanks in advance.

Accepted Solutions (1)

Accepted Solutions (1)

0 Kudos

Hi John,

The important part about all of these issues is the classes in log4j that have the issue is not included in the SAP versions so not sure about the scanner you are using and if it looks for the specific class definition or just the file/versions.

The only version that was affected is in CR for Eclipse and that one we just released SP 28 to fix the issue with the updated log4j jar version 2.17.1

https://wiki.scn.sap.com/wiki/display/BOBJ/SAP+Crystal+Reports+version+for+Eclipse+-+Downloads

Use Google and search for this KBA 3131199 for CR for Eclipse.

You will need to contact Sage to see if and when they provide a fix or answer.

I don't believe you'll be able to delete the files, the instal manifest file will put it back on if it detects it missing.

Just be assured our version does not include the class with the vulnerability so it's not an issue.

Hope that clears things up for everyone.

Don

Answers (7)

Answers (7)

Update:

Only CR4Eclipse was impacted but, as per KBA 3131199, it has now been corrected in SP28.

You can get SP 28 from here:

https://wiki.scn.sap.com/wiki/display/BOBJ/SAP+Crystal+Reports+version+for+Eclipse+-+Downloads

dave_smith2
Participant

Would it be possible to gain access to this KBA somehow? We do not have an S-user id and so cannot access it. It would be much appreciated if you would be able to provide a link that allows us to view it.

Thank you.

Hi Guys,

We've discussed this over the weekend and it does not impact CR or CR for VS or BOE runtime at all.

Yes our version is out of date and we are working on updating it but there is no impact to .NET runtime since it's not used.

So you can ignore the the warning.

Don

former_member780741
Discoverer
0 Kudos

Hi Don,

I understand Apache Tomcat is open source and is bundles with SAP. Can you help if there is any impact on log4j.jar versions below 2 within Apache tomcat please.

Regards

Karthik

dave_smith2
Participant

Don,

Is there an official release from SAP that explains this? Preferably a document that we all can access without the need for an S-user id?

Thanks.

former_member776593
Discoverer
0 Kudos

Hi Don,

We have our client which currently still running and using SAP Crystal Server and Crystal Reports 2013 old version.

Since SAP Crystal Server 2013 is run on BI Platform 4.1, could you check and confirm to us whether this version is impacted or not?

In latest SAP notes release, it only mention SAP BusinessObjects Business Intelligence Platform 4.2, 4.3 environment were not impacted.

former_member780741
Discoverer

Hi Dave,

Please refer to the note released by SAP on this:

3129956 - CVE-2021-44228 - BusinessObjects impact for Log4j vulnerability

Hope this helps.!

Regards

Karthik

dave_smith2
Participant
0 Kudos

Hi,

I am unable to access this link due to some sort of authentication issue (see below error). Can you provide a link that will allow me to access this document? Thanks.

You are signed in with a P-user ID. Visitors with an S-user ID will benefit from more tools and enhanced functionality.

dave_smith2
Participant

Apparently, an S-user id is required to access this information. We do not have an S-user id. How can we obtain this document?

tomaslov
Explorer
0 Kudos

We also have an issue reaching this document, as we only have P-user ID as well. Could anyone please share the related info somewhere more open to us who need this?

ayman_salem
Active Contributor
0 Kudos

see me Answer

edwardtam
Discoverer
0 Kudos

I also need to have this answered specifically for the SAP Crystal Reports 2016. Could anyone please share the related info?

former_member780741
Discoverer
0 Kudos

Hi Edward,

I had a connect with SAP team and they confirmed no impact on any of BI components and that includes crystal reports.

However, you will need to validate log4j.jar versions of Apache Tomcat services and apply fix if the version you are on is vulnerable.

Apache Log4j Security Vulnerabilities

Good Luck.!

Karthik

jason_walters2
Explorer
0 Kudos

I read this note but it doesn't go far enough -- I need further clarity to actually believe it. Crystal Reports 2016 SP4 installer has left no less than 4 copies of the log4j.jar (dated 2/1/2017), all sourced to the BusinessObjects Enterprise XI 4.0 subfolder.

Are we assumed to be safe because the version number is old? Or are we presumed save if you are not actually using the XI 4.0 Server?

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\jars\lib

jar.png

dave_smith2
Participant
0 Kudos

We were finally able to review this KBA. Not to beat a dead horse, but it makes no specific mention of the SAP Crystal runtime for .NET, which was the subject of my post. We see Crystal Reports and other BO components, but nothing about the runtime.

Will this component be added to the list of environments not affected by this vulnerability?

Environment

SAP BusinessObjects Business Intelligence Platform 4.2, 4.3

SAP BusinessObjects Business Intelligence (BI) Platform 4.0 / 4.1 * NO LONGER SUPPORTED

SAP Crystal Server 2016, 2020

SAP Crystal Reports 2016, 2020

SAP Crystal Reports for Enterprise 4.2, 4.3

Live Office

Universe Design Tool (UDT)

Analysis for Office (AO) and Analysis for Office Add-on for BI Platform

Lumira Discovery, Lumira Server for BI Platform & Lumira Designer

SAP BI Mobile server

All Operating Systems

0 Kudos

And to answer your question CR for VS does not use log4j, it uses log4net so doesn't impact CR for VS at all

sankethgardas
Member
0 Kudos

Hi,

Is Crystal Reports 2011 version 14.0.7 affected by log4j vulnerability as well?

baerjo
Member
0 Kudos

Will the Sage Fixed Assets bundled SAP Crystal Reports for Sage still work if the log4j files are deleted from the system?

Qualys is still flagging the files as at risk, even though SAP mentions above that they are not affected. I'm being asked to delete the files from the client computers.

srujankumar28
Explorer
0 Kudos

Hi Expert,

If Log4j vulnerability are not impacting Business Objects 4.2 then how can we fix the issue on Tomcat nodes?

Thanks

dmjohnston
Explorer
0 Kudos

SAP sent me this: support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf

But I can't access it since I'm not linked to an S-user ID.

Joe_Peters
Active Contributor
0 Kudos

I can't copy it word-for-word, but it only says that they're aware of the problem and looking into it.