There is no mention of SAP Integration Suite. Is it included as part of following?

- SAP Customer Applications on BTP Neo Environment

- SAP Customer Applications on BTP Cloud Foundry Environment

Hi Greg,

thanks for posting the link to the official document by SAP.

Will updates be done directly in the link: https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025... ?

The statement in the document "The information below is subject to change and will be updated regularly" can also mean that in case of updates a new document will be created with a separate link. I assume that an official page by SAP will then link to the new document, but I have currently only the "deep link".

Thanks,

Rainer Winkler

CubeServ GmbH

I think it is just a general statement. The most relevant and up to date list I would think of, would be the search on notes with the tag "CVE-2021-44228":

https://launchpad.support.sap.com/#/solutions/notesv2/?q=CVE-2021-44228&sortBy=date&sortOrder=desc

Hi shaun.wimpory2

where did you see that PO is affected ? Note 3129883 start with BeanFactory class is not present in AS Java default installation...

Thanks for the note. Here are the log4j jar files from our PO installations.

/usr/sap/<SID>/J<instno>/j2ee/cluster/bin/ext/com.sap.aii.adapter.ws.cxf.lib/lib/org.apache.logging.log4j-log4j-api-2.13.3.jar

/usr/sap/<SID>/J<instno>/j2ee/cluster/bin/ext/com.sap.aii.adapter.ws.cxf.lib/lib/org.apache.logging.log4j-log4j-core-2.13.3.jar

Cheers

Shaun

just blind shot, is this anyhow relevant for you?

3130936 - R4CM CORWEB JAVA-Adapter: Log4j CVE-2021-44228

Patch for SAP Process Orchestration (AEX) (NW JAVA 7.50 SP20, SP21 and SP22) is now available: https://launchpad.support.sap.com/#/notes/3131436

Regarding BO/BI - Note 3129956 regarding CVE-2021-44228 (Log4J) has been updated to version 5 stating: "SAP BusinessObjects BI Platform is not impacted by the CVE-2021-44228, which packages log4j version 1.2.6 (as of 4.3 SP02), earlier releases of BI may have older versions."

Covered by Tammy Powlas statement posted above... that BO is not impacted by this vulnerability
https://launchpad.support.sap.com/#/notes/3129956

And you'll find plenty of older version of log4j.jars as well if you search the BOE install. (some unversioned in the name so you have to look at the Manifest)

Hi @ Brendan Gilbert,

Thanks for sharing the insights. Can you let me know how to check the Log4J version for Cloud applications like Succesfactors?

Thanks again for your support.

Regards,

Siva

Thanks dougmunford-dof I agree it does seem that older versions of log4j are not affected but do have its own vulnerabilities that wont be addressed as its EOL. There is one affected log4j version v2.11.1 on my server in TomcatConfig which is of concern.

Unfortunately I don't have access to notes so I am unable to read the statement but have asked our SAP partner to check it out and send me a copy.

Here is one of the most detailed articles I have found so far - https://www.socinvestigation.com/apache-log4j-vulnerability-detection-and-mitigation/ - im sure there will be more as this unfolds.

hi Matthias,

Good question 😉

i found the following on our ME / MII systems (15.4.x / NW 7.5 SP21).

It would therefore not be relevant, as it is too old ;-(

The following leads to the info.

3131215 - Impact of log4j (CVE-2021-44228) vulnerability on SAP Process Orchestration

https://launchpad.support.sap.com/#/notes/3131215

3129883 - CVE-2021-44228 - AS Java Core Components' impact for Log4j vulnerability

https://launchpad.support.sap.com/#/notes/3129883

Connected to localhost.

Escape character is '^]'.

***********************************************

**********************************************

****###*******####*****#######**************

**##***##****##**##****##****##************

***##*******##****##***##****##**********

*****##*****########***######***********

******##****##****##***##*************

**##***##**##******##**##************

****###****##******##**##**********

**********************************

********************************

Telnet Administration

SAP Java EE Application Server v7.50

User name: Administrator

Password:

Welcome to server node XxXxXxXxX.

>llr -all -f org/apache/log4j/Logger.class

jar:file:/usr/sap/<SID>/J<NR>/j2ee/cluster/apps/sap.com/me%7Eear/app_libraries_container/log4j-1.2.17.jar!/org/apache/log4j/Logger.class

jar:file:/usr/sap/<SID>/J<NR>/j2ee/cluster/apps/sap.com/me%7Eauditws/servlet_jsp/manufacturing-auditservices/root/WEB-INF/lib/log4j-1.2.17.jar!/org/apache/log4j/Logger.class

jar:file:/usr/sap/<SID>/J<NR>/j2ee/cluster/apps/sap.com/me%7Epapiws/servlet_jsp/manufacturing-papiservices/root/WEB-INF/lib/log4j-1.2.17.jar!/org/apache/log4j/Logger.class

jar:file:/usr/sap/<SID>/J<NR>/j2ee/cluster/apps/sap.com/me%7Erest/servlet_jsp/manufacturing-rest/root/WEB-INF/lib/log4j-1.2.17.jar!/org/apache/log4j/Logger.class

jar:file:/usr/sap/<SID>/J<NR>/j2ee/cluster/apps/sap.com/me%7Emobile/servlet_jsp/manufacturing-mobile/root/WEB-INF/lib/log4j-1.2.17.jar!/org/apache/log4j/Logger.class

>llr -all -f org/apache/logging/log4j/core/Logger.class

[Shell -> LLR] Such resource cannot be found in the registered loaders!

>llr -all -f org/apache/logging/log4j/Logger.class

[Shell -> LLR] Such resource cannot be found in the registered loaders!

>llr -all -f org/apache/names/factory/BeanFactory.class

[Shell -> LLR] Such resource cannot be found in the registered loaders!

kind regards

Jan

Hello Jan

exactly

and according SAP Note 3129883

"Library versions Log4j 1.x are not affected, although update of the library is recommended"

in our opinion the SAP has to update ME, to follow their own recommendation

currently it seems to be possible, that version 1 of log4j is not secure too.

regards

Matthias

log4j 1.2.x is vulnerable to a similar issue up to version 1.2.17 (CVE-2019-17571) which is older, but similarly critical and similarly easy to exploit. Due to recent issue with log4j 2, a lot of would-be-hackers were also made aware of this old one, so it would be wise to update 1.2.x to 1.2.18 where possible

Hello
SAP has released Patch for SAP ME 15.2 SP0 & 15.3 SP0 only.
See. https://launchpad.support.sap.com/#/notes/3139601

regards

Matthias

Hello again

SAP has released first Patches for SAP ME SCRIPTS too, because this package has also log4j included

https://launchpad.support.sap.com/#/notes/3139601/E/diff

please check your system, if you do not use SAP ME on HANA DB

regards

Matthias

Bellow blog is describing the easier way to do this

Scan your Cloud Integration tenant for Log4j libraries with CPILint | SAP Blogs

Hello again

SAP has released first Patches for SAP ME SCRIPTS too, because this package has also log4j included

https://launchpad.support.sap.com/#/notes/3139601/E/diff

please check your system, if you do not use SAP ME on HANA DB

regards

Matthias

That is log4j version 1. It is old and unaffected by the vulnerability. hence the 1.2.15

The versions of log4j v2 BEGIN with 2.x.x. e.g 2.14.0

You will also find version 1.2.6 in (circa 2005) in various of the pieces pf the clientapi launchpad dswsbobje.

log4j v2 is not compatible with log4j v1 so I strongly suggest you don't replace anything.

See the comment from Tammy Powlas at the top of this for clarity that BO is unaffected.

Patch now available for both log4j CVEs (CVE-2021-44228, CVE-2021-45046): https://launchpad.support.sap.com/#/notes/3131436

hi divanova1005

im quite sure SolMan abap is not impacted

Solman Java, it's likely as well, but to be safe, follow the steps as per 3129883 and you will have your confirmation

Lastly , it is unclear about DAA and I have opened an oss for this ..

cheers!A

I didn't find the log4j libraries in our SolMan Java stack (running the latest SPS also).

3129883 - CVE-2021-44228 - AS Java Core Components' impact for Log4j vulnerability

NWA/Configuration/Infrastructure/Java System Properties/System-VM-Parameter

See KBA3130970
looks like there's no impact on ASE SDK 16

https://launchpad.support.sap.com/#/notes/3130970

our NWDI System running on sybase:

log4j version 1.2.4 and 1.2.15

for me it is looking relevant for CVE-2021-4104.

regards

Matthias