cancel
Showing results for 
Search instead for 
Did you mean: 

Log4j security vulnerability with SAP Crystal Reports for .NET SDK

dave_smith2
Participant
40,969

We were just made aware of a severe vulnerability in the Java logging library Apache Log4j.

See the following article for more information:

https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-bei...

Is this library present and being used by the Crystal Reports runtime engine for .NET SDK (using v13.0.30.3805)? If so, what measures can we take to mitigate this vulnerability? Is SAP planning to issue some kind of patch?

Thanks in advance.

View Entire Topic
0 Kudos

Hi John,

The important part about all of these issues is the classes in log4j that have the issue is not included in the SAP versions so not sure about the scanner you are using and if it looks for the specific class definition or just the file/versions.

The only version that was affected is in CR for Eclipse and that one we just released SP 28 to fix the issue with the updated log4j jar version 2.17.1

https://wiki.scn.sap.com/wiki/display/BOBJ/SAP+Crystal+Reports+version+for+Eclipse+-+Downloads

Use Google and search for this KBA 3131199 for CR for Eclipse.

You will need to contact Sage to see if and when they provide a fix or answer.

I don't believe you'll be able to delete the files, the instal manifest file will put it back on if it detects it missing.

Just be assured our version does not include the class with the vulnerability so it's not an issue.

Hope that clears things up for everyone.

Don