on 2021 Dec 10 9:27 PM
We were just made aware of a severe vulnerability in the Java logging library Apache Log4j.
See the following article for more information:
Is this library present and being used by the Crystal Reports runtime engine for .NET SDK (using v13.0.30.3805)? If so, what measures can we take to mitigate this vulnerability? Is SAP planning to issue some kind of patch?
Thanks in advance.
Request clarification before answering.
Hi John,
The important part about all of these issues is the classes in log4j that have the issue is not included in the SAP versions so not sure about the scanner you are using and if it looks for the specific class definition or just the file/versions.
The only version that was affected is in CR for Eclipse and that one we just released SP 28 to fix the issue with the updated log4j jar version 2.17.1
https://wiki.scn.sap.com/wiki/display/BOBJ/SAP+Crystal+Reports+version+for+Eclipse+-+Downloads
Use Google and search for this KBA 3131199 for CR for Eclipse.
You will need to contact Sage to see if and when they provide a fix or answer.
I don't believe you'll be able to delete the files, the instal manifest file will put it back on if it detects it missing.
Just be assured our version does not include the class with the vulnerability so it's not an issue.
Hope that clears things up for everyone.
Don
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
74 | |
30 | |
9 | |
7 | |
7 | |
6 | |
6 | |
4 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.