on 2021 Dec 10 9:27 PM
We were just made aware of a severe vulnerability in the Java logging library Apache Log4j.
See the following article for more information:
Is this library present and being used by the Crystal Reports runtime engine for .NET SDK (using v13.0.30.3805)? If so, what measures can we take to mitigate this vulnerability? Is SAP planning to issue some kind of patch?
Thanks in advance.
Request clarification before answering.
Hi John,
The important part about all of these issues is the classes in log4j that have the issue is not included in the SAP versions so not sure about the scanner you are using and if it looks for the specific class definition or just the file/versions.
The only version that was affected is in CR for Eclipse and that one we just released SP 28 to fix the issue with the updated log4j jar version 2.17.1
https://wiki.scn.sap.com/wiki/display/BOBJ/SAP+Crystal+Reports+version+for+Eclipse+-+Downloads
Use Google and search for this KBA 3131199 for CR for Eclipse.
You will need to contact Sage to see if and when they provide a fix or answer.
I don't believe you'll be able to delete the files, the instal manifest file will put it back on if it detects it missing.
Just be assured our version does not include the class with the vulnerability so it's not an issue.
Hope that clears things up for everyone.
Don
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Update:
Only CR4Eclipse was impacted but, as per KBA 3131199, it has now been corrected in SP28.
You can get SP 28 from here:
https://wiki.scn.sap.com/wiki/display/BOBJ/SAP+Crystal+Reports+version+for+Eclipse+-+Downloads
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Would it be possible to gain access to this KBA somehow? We do not have an S-user id and so cannot access it. It would be much appreciated if you would be able to provide a link that allows us to view it.
Thank you.
Hi Guys,
We've discussed this over the weekend and it does not impact CR or CR for VS or BOE runtime at all.
Yes our version is out of date and we are working on updating it but there is no impact to .NET runtime since it's not used.
So you can ignore the the warning.
Don
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Don,
Is there an official release from SAP that explains this? Preferably a document that we all can access without the need for an S-user id?
Thanks.
Hi Don,
We have our client which currently still running and using SAP Crystal Server and Crystal Reports 2013 old version.
Since SAP Crystal Server 2013 is run on BI Platform 4.1, could you check and confirm to us whether this version is impacted or not?
In latest SAP notes release, it only mention SAP BusinessObjects Business Intelligence Platform 4.2, 4.3 environment were not impacted.
Hi Dave,
Please refer to the note released by SAP on this:
3129956 - CVE-2021-44228 - BusinessObjects impact for Log4j vulnerability
Hope this helps.!
Regards
Karthik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Apparently, an S-user id is required to access this information. We do not have an S-user id. How can we obtain this document?
Hi Edward,
I had a connect with SAP team and they confirmed no impact on any of BI components and that includes crystal reports.
However, you will need to validate log4j.jar versions of Apache Tomcat services and apply fix if the version you are on is vulnerable.
Apache Log4j Security Vulnerabilities
Good Luck.!
Karthik
I read this note but it doesn't go far enough -- I need further clarity to actually believe it. Crystal Reports 2016 SP4 installer has left no less than 4 copies of the log4j.jar (dated 2/1/2017), all sourced to the BusinessObjects Enterprise XI 4.0 subfolder.
Are we assumed to be safe because the version number is old? Or are we presumed save if you are not actually using the XI 4.0 Server?
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\jars\lib
We were finally able to review this KBA. Not to beat a dead horse, but it makes no specific mention of the SAP Crystal runtime for .NET, which was the subject of my post. We see Crystal Reports and other BO components, but nothing about the runtime.
Will this component be added to the list of environments not affected by this vulnerability?
Environment
SAP BusinessObjects Business Intelligence Platform 4.2, 4.3
SAP BusinessObjects Business Intelligence (BI) Platform 4.0 / 4.1 * NO LONGER SUPPORTED
SAP Crystal Server 2016, 2020
SAP Crystal Reports 2016, 2020
SAP Crystal Reports for Enterprise 4.2, 4.3
Live Office
Universe Design Tool (UDT)
Analysis for Office (AO) and Analysis for Office Add-on for BI Platform
Lumira Discovery, Lumira Server for BI Platform & Lumira Designer
SAP BI Mobile server
All Operating Systems
And to answer your question CR for VS does not use log4j, it uses log4net so doesn't impact CR for VS at all
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Will the Sage Fixed Assets bundled SAP Crystal Reports for Sage still work if the log4j files are deleted from the system?
Qualys is still flagging the files as at risk, even though SAP mentions above that they are not affected. I'm being asked to delete the files from the client computers.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Expert,
If Log4j vulnerability are not impacting Business Objects 4.2 then how can we fix the issue on Tomcat nodes?
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
SAP sent me this: support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf
But I can't access it since I'm not linked to an S-user ID.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
74 | |
30 | |
9 | |
7 | |
7 | |
6 | |
6 | |
4 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.