last updated: 2022-03-10 10:20 CET
Currently the security topic log4j (CVE-2021-44228 -
CVSS score 10 of 10 and also others) is omnipresent. I want to show in this blog how you can check your HANA XSA systems and implement the mitigation. As well as to check if the settings are correct.
Source:
GovCERT.ch
The fix which should be provided by log4j version 2.15.0 is inclomplete in certain non default configurations - so a new CVE raised: CVE-2021-45046 (initial CVSS score 3,7 - now 9,0 / 10)
This one will be fixed with log4j 2.16.0
Details: lunasec |
There is a new vulnerability called CVE-2021-45105 rated with a CVSS of 7,5.
This one will be fixed with log4j 2.17.0 which is now included in the latest XSA runtime version 1.0.142. |
There is another new vulnerability called CVE-2021-44832 rated with a CVSS of 6,6.
This one will be fixed with log4j 2.17.1 which is now included in the latest patch XSA runtime version 1.0.143 and XSA Cockpit 1.1.26. |
Overview
CVE |
effect
|
fixed by log4j version |
CVSS score
|
mitigation via WA available
|
Release date
|
CVE-2021-44228 |
execute arbitrary code loaded from LDAP servers |
2.16.0 |
10 |
X |
20211126 |
CVE-2021-45046 |
remote code execution in some environments + local code execution |
2.16.0 |
9 |
X |
20211214 |
CVE-2021-45105 |
stack overflow / DOS - denial of service |
2.17.0 |
7,5 |
X |
20211216 |
CVE-2021-44832 |
remote code execution (RCE) attack |
2.17.1 |
6,6 |
- |
20211211 |
To query the CVE database for all log4j vulnerabilities use
this link for searching.
Overall currently affected products by SAP can be identified by using
this document. It will be updated constantly.
Last update is from 2022/03/09 15:55 EST (thanks to Kuto Baran for the hint)
There is a new central note for an overview (thanks to Matthias Sander for the hint):
3131047 - [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated ...
Hint: Mark the note as favorite (star in the upper right corner) to get notified for any update on it. |
To mention some popular once:
- Cloud connector is not affected (Note: 3130868)
- BusinessObjects is not affected (Note: 3129956) - This applies to all the SAP BI products listed in the Environment section of the above mentioned document
- SAP NetWeaver Application Server Java is not impacted by the CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105. This applies to all the AS Java Core Components. Applications running on top of it using the libs can be affected! (Note: 3129883)
- SAP NetWeaver Process Integration is affected (Note: 3131436/ 3130521)
- BTP Cloud Foundry applications can be affected (Note: 3130476 / 3131208)
Mitigation CVE-2021-44228
Log4j 1.x mitigation: Log4j 1.x is
not impacted by this vulnerability.
Log4j 2.x mitigation: Implement one of the mitigation techniques below.
- Java 8 (or later) users should upgrade to release 2.16.0.
- Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
- Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.
The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.
Source:
Apache
Log4jscanner
There is a commandline tool (build via Go package) for scanning and rewriting / actively remove the vulnerable class from detected JARs in-place. You can use the
git repository for further details.
XS Advanced applications
- XSA
- HANA Cockpit (which also is running as XSA application) - see also note 3131397
XSA runtime affected: Version <= 1.0.140 (currently - 2021/12/21 - there is a now a new version 1.0.141 which includes a fix
3130864 - EXTENDED APPLICATION SERVICES 1 Release Collection 1.0.141! It includes log4j version 2.16.0) [thanks to Matthias Sander and
sander.meijer3 ]
Determine XSA Runtime version
Login as sidadm:
xs version
Check if you can implement the mitigation parameters with version >= 2.10
Determine log4j version
find /hana/shared/<SID>/xs/uaaserver/tomcat -name "*log4j*"
XSA Advanced Runtime |
log4j version |
affected by
|
highest CVSS rating
|
<1.0.140 |
<2.15 |
CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 |
10 |
1.0.141 |
2.16.0 |
CVE-2021-45105 |
7,5 |
1.0.142 |
2.17.0 |
CVE-2021-44832 |
6,6 |
1.0.143 |
2.17.1 |
- |
- |
Download patch search:
https://launchpad.support.sap.com/#/softwarecenter/template/products/%20_APP=00200682500000001943&_E...
There is a patch for
HANA Cockpit SP14 Patch 6 from RTC 2022/03/02 which includes the XS Advanced Runtime 1.0.143. (
Summary SP14)
The on-premise stack contains:
LCM for Cockpit - 2.5.61
HDB - 2.00.059
SAP_EXTENDED_APP_SERVICES - 1.0.143
XSAC_HRTT - 2.14.220501
XSAC_COCKPIT- 2.14.6
XSAC_PORTAL_SERV - 2.006.1
XSAC_XSA_COCKPIT - 1.1.26
Thanks to
joerg.latza for posting the details.
Determine XSA Cockpit version
xs spaces
xs login -s <SPACE>
xs lc
XSA COCKPIT version
|
log4j version |
affected by
|
highest CVSS rating
|
<1.1.23 |
<2.15.0 |
CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 |
10 |
1.1.23 |
2.15.0 |
CVE-2021-45046, CVE-2021-45105 |
9 |
1.1.24 |
2.16.0 |
CVE-2021-45105 |
7,5 |
1.1.25 |
2.17.0 |
CVE-2021-44832 |
6,6 |
1.1.26 |
2.17.1 |
- |
- |
Download patch search:
https://launchpad.support.sap.com/#/softwarecenter/search/XSA%2520COCKPIT%25201
Attention
From the note: On SAP HANA systems with enabled System Replication (HSR), execute step 1 on the primary and all secondary systems. Executing steps 2-4 is required on the primary system, only. |
Current information status is that all java version are affected. Also with deactivated class com.sun.jndi.ldap.object.trustURLCodebase .
>> It was initially reported by Lunasec that servers running on JDKs versions higher than 6u211, 7u201, 8u191 are not affected by the LDAP RCE attack vector, as the com.sun.jndi.ldap.object.trustURLCodebase
is disabled by default, hence JNDI cannot load a remote codebase using LDAP. However, further analysis by the community has revealed that all JDK versions are vulnerable to this kind of attack. Alvaro Muñoz commented on Twitter the deserialization attacks are still possible with the latest JDK: "The ldap server will return a serialized object which will get deserialized. RCE depends on gadget availability in the classpath though" <<
Source:
https://www.infoq.com/news/2021/12/log4j-zero-day-vulnerability/
Check the used java version:
cd /hana/shared/<SID>/xs/sapjvm_*/bin
./java -version
Implementation of the parameters
login as sidadm
cdcoc
cp -p xsuaaserver.ini xsuaaserver.ini.bkp
cat xsuaaserver.ini
#if only the section [configuration] is available (default):
echo "UAA.Jvm.AdditionalParameters = -Dlog4j2.formatMsgNoLookups=true" >> xsuaaserver.ini
cat xsuaaserver.ini
#if not, insert the line via vi
vi xsuaaserver.ini
check your XSA before you apply changes:
XSA diagnose
XSA backup-ssfs
XSA backup-fss
To find vulnerable XS advanced applications with respect to CVE-2021-44228:
xs-admin-login
xs find-artifacts -n "log4j-core*"
mitigations - note that due other CVE's than CVE-2021-44228 that an
update is strongly recommended:
- set workaround environment parameter LOG4J_FORMAT_MSG_NO_LOOKUPS to true
- remove the JndiLookup class from the classpath
xs-admin-login
xs urevg --add LOG4J_FORMAT_MSG_NO_LOOKUPS true
cdxs
zip -q -d ./uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
zip -q -d ./uaaserver/tomcat/webapps/uaa-security-oidc/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
XSA restart
!!!This will restart your XSA services which means your applications will not be available for 15-30min!!! |
check xsuaaserver.out for the correct variables / parameters:
cdtrace
grep -i log4j xsuaaserver.out
as mentioned by
sathiyaraj.jagadesh2 you can also check the parameters via revg:
xs revg | grep -i log4j
Check after implementation
XSA diagnose
Check the output in the trace directory: /hana/shared/<SID>/<hostname>/trace/xsa_diagnose_results.txt
As soon as there are updates on this topic I will update the blog.
I would wish SAP could list the components and versions of each patch. Having this information would save any customer a lot of time trying to figure out the right patch levels. Currently, these details are not published in any note or document. Nowadays it should not be impossible to provide such details.
SAP Security Patch Day - December 2021
https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021
https://securitybridge.com/sap-patchday/sap-security-patch-day-december-2021/
Further sources:
https://logging.apache.org/log4j/2.x/security.html
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
https://www.infoq.com/news/2021/12/log4j-zero-day-vulnerability/
https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025...
https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/
https://github.com/google/log4jscanner