cancel
Showing results for 
Search instead for 
Did you mean: 

SAP and Log4j

I've seen a few messages regarding the impact of the Log4j, CVE-2021-44228 vulnerability on a couple of products, but is there an actual list of SAP products that are confirmed to use Log4j and are impacted?

Paul_Galimba
Discoverer

Please confirm if SAP SuccessFactors Product is impacted.

wilbert_sison2
Active Participant

here's sap's list 13 Dec

shyam_kr
Explorer
0 Kudos

Tried to find the SAP SuccessFactors community and there is no response from SAP as such:

https://community.successfactors.com/t5/Learning-Forum/Log4j-CVE-2021-44228-aka-Log4Shell/td-p/28225...

There is a KBA that mentions 'appropriate patches and temporary fixes have been applied" -

https://community.successfactors.com/t5/Learning-Forum/Log4j-CVE-2021-44228-aka-Log4Shell/td-p/28225...

Accepted Solutions (0)

Answers (21)

Answers (21)

GregMalewski
Contributor
ec1
Active Participant
0 Kudos

There is no mention of SAP Integration Suite. Is it included as part of following?

- SAP Customer Applications on BTP Neo Environment

- SAP Customer Applications on BTP Cloud Foundry Environment

rainer_winkler
Contributor
0 Kudos

Hi Greg,

thanks for posting the link to the official document by SAP.

Will updates be done directly in the link: https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025... ?

The statement in the document "The information below is subject to change and will be updated regularly" can also mean that in case of updates a new document will be created with a separate link. I assume that an official page by SAP will then link to the new document, but I have currently only the "deep link".

Thanks,

Rainer Winkler

CubeServ GmbH

GregMalewski
Contributor

I think it is just a general statement. The most relevant and up to date list I would think of, would be the search on notes with the tag "CVE-2021-44228":

https://launchpad.support.sap.com/#/solutions/notesv2/?q=CVE-2021-44228&sortBy=date&sortOrder=desc

shaun_wimpory2
Participant

We have found references to log4j in the following products:

SAP Process Orchestration (AEX) (NW JAVA 7.50 SP21)

SAP Landscape Management (NW JAVA 7.50 SP16) - its in a Crystal Reports app library

Oracle 19c installations, but an educated guess tells me they aren't utilized for SAP implementations.

Now the waiting game for SAP to release all the relevant patches for customers.

amontella96
Active Contributor
0 Kudos

Hi shaun.wimpory2

where did you see that PO is affected ? Note 3129883 start with BeanFactory class is not present in AS Java default installation...

shaun_wimpory2
Participant

Thanks for the note. Here are the log4j jar files from our PO installations.

/usr/sap/<SID>/J<instno>/j2ee/cluster/bin/ext/com.sap.aii.adapter.ws.cxf.lib/lib/org.apache.logging.log4j-log4j-api-2.13.3.jar

/usr/sap/<SID>/J<instno>/j2ee/cluster/bin/ext/com.sap.aii.adapter.ws.cxf.lib/lib/org.apache.logging.log4j-log4j-core-2.13.3.jar

Cheers

Shaun

former_member594903
Discoverer
0 Kudos

just blind shot, is this anyhow relevant for you?

3130936 - R4CM CORWEB JAVA-Adapter: Log4j CVE-2021-44228

https://launchpad.support.sap.com/#/notes/3130936
settgast
Explorer
0 Kudos

Patch for SAP Process Orchestration (AEX) (NW JAVA 7.50 SP20, SP21 and SP22) is now available: https://launchpad.support.sap.com/#/notes/3131436

marco_hammel2
Participant

Hi, we did some web scrapping from help.sap.com where and for which products log4j is described in general https://github.com/NO-MONKEY/log4j_use_in_sap

Maybe this helps as an indication

TammyPowlas
Active Contributor

So far, SAP has confirmed that SAP BusinessObjects BI platform is not impacted per this SAP note: https://launchpad.support.sap.com/#/notes/3129956

danielpurucker
Participant

Regarding BO/BI - Note 3129956 regarding CVE-2021-44228 (Log4J) has been updated to version 5 stating: "SAP BusinessObjects BI Platform is not impacted by the CVE-2021-44228, which packages log4j version 1.2.6 (as of 4.3 SP02), earlier releases of BI may have older versions."

GregMalewski
Contributor

The most relevant and up to date list I would think of, would be the search on notes with the tag "CVE-2021-44228":

https://launchpad.support.sap.com/#/solutions/notesv2/?q=CVE-2021-44228&sortBy=date&sortOrder=desc

brendangilbert
Discoverer

We have found reference to log4j and log4j2 in the following products:

Doug_Munford
Participant
0 Kudos

Covered by Tammy Powlas statement posted above... that BO is not impacted by this vulnerability
https://launchpad.support.sap.com/#/notes/3129956

And you'll find plenty of older version of log4j.jars as well if you search the BOE install. (some unversioned in the name so you have to look at the Manifest)

0 Kudos

Hi @ Brendan Gilbert,

Thanks for sharing the insights. Can you let me know how to check the Log4J version for Cloud applications like Succesfactors?

Thanks again for your support.

Regards,

Siva

brendangilbert
Discoverer
0 Kudos

Thanks dougmunford-dof I agree it does seem that older versions of log4j are not affected but do have its own vulnerabilities that wont be addressed as its EOL. There is one affected log4j version v2.11.1 on my server in TomcatConfig which is of concern.

Unfortunately I don't have access to notes so I am unable to read the statement but have asked our SAP partner to check it out and send me a copy.

Here is one of the most detailed articles I have found so far - https://www.socinvestigation.com/apache-log4j-vulnerability-detection-and-mitigation/ - im sure there will be more as this unfolds.

matthias_hollstein
Participant

Hello
What about SAP Manufacturing Execution (ME) including MEINT?
SAP MII and SAP OEE?

thank you in advance

kind regards
Matthias

JanFraenzel
Explorer

hi Matthias,

Good question 😉

i found the following on our ME / MII systems (15.4.x / NW 7.5 SP21).

It would therefore not be relevant, as it is too old ;-(

The following leads to the info.

3131215 - Impact of log4j (CVE-2021-44228) vulnerability on SAP Process Orchestration

https://launchpad.support.sap.com/#/notes/3131215

3129883 - CVE-2021-44228 - AS Java Core Components' impact for Log4j vulnerability

https://launchpad.support.sap.com/#/notes/3129883

Connected to localhost.

Escape character is '^]'.

***********************************************

**********************************************

****###*******####*****#######**************

**##***##****##**##****##****##************

***##*******##****##***##****##**********

*****##*****########***######***********

******##****##****##***##*************

**##***##**##******##**##************

****###****##******##**##**********

**********************************

********************************

Telnet Administration

SAP Java EE Application Server v7.50

User name: Administrator

Password:

Welcome to server node XxXxXxXxX.

>llr -all -f org/apache/log4j/Logger.class

jar:file:/usr/sap/<SID>/J<NR>/j2ee/cluster/apps/sap.com/me%7Eear/app_libraries_container/log4j-1.2.17.jar!/org/apache/log4j/Logger.class

jar:file:/usr/sap/<SID>/J<NR>/j2ee/cluster/apps/sap.com/me%7Eauditws/servlet_jsp/manufacturing-auditservices/root/WEB-INF/lib/log4j-1.2.17.jar!/org/apache/log4j/Logger.class

jar:file:/usr/sap/<SID>/J<NR>/j2ee/cluster/apps/sap.com/me%7Epapiws/servlet_jsp/manufacturing-papiservices/root/WEB-INF/lib/log4j-1.2.17.jar!/org/apache/log4j/Logger.class

jar:file:/usr/sap/<SID>/J<NR>/j2ee/cluster/apps/sap.com/me%7Erest/servlet_jsp/manufacturing-rest/root/WEB-INF/lib/log4j-1.2.17.jar!/org/apache/log4j/Logger.class

jar:file:/usr/sap/<SID>/J<NR>/j2ee/cluster/apps/sap.com/me%7Emobile/servlet_jsp/manufacturing-mobile/root/WEB-INF/lib/log4j-1.2.17.jar!/org/apache/log4j/Logger.class

>llr -all -f org/apache/logging/log4j/core/Logger.class

[Shell -> LLR] Such resource cannot be found in the registered loaders!

>llr -all -f org/apache/logging/log4j/Logger.class

[Shell -> LLR] Such resource cannot be found in the registered loaders!

>llr -all -f org/apache/names/factory/BeanFactory.class

[Shell -> LLR] Such resource cannot be found in the registered loaders!

kind regards

Jan

matthias_hollstein
Participant

Hello Jan

exactly

and according SAP Note 3129883

"Library versions Log4j 1.x are not affected, although update of the library is recommended"

in our opinion the SAP has to update ME, to follow their own recommendation

currently it seems to be possible, that version 1 of log4j is not secure too.

regards

Matthias

sergei-u-niq
Active Contributor

log4j 1.2.x is vulnerable to a similar issue up to version 1.2.17 (CVE-2019-17571) which is older, but similarly critical and similarly easy to exploit. Due to recent issue with log4j 2, a lot of would-be-hackers were also made aware of this old one, so it would be wise to update 1.2.x to 1.2.18 where possible

matthias_hollstein
Participant
0 Kudos

Hello
SAP has released Patch for SAP ME 15.2 SP0 & 15.3 SP0 only.
See. https://launchpad.support.sap.com/#/notes/3139601

regards

Matthias

matthias_hollstein
Participant
0 Kudos

Hello again

SAP has released first Patches for SAP ME SCRIPTS too, because this package has also log4j included

https://launchpad.support.sap.com/#/notes/3139601/E/diff

please check your system, if you do not use SAP ME on HANA DB

regards

Matthias

amontella96
Active Contributor

To whoever care :

- about BTP neo, sap is asking customers to check their customers to check if you are directly packaging open source log4j in your integration flows SAP Cloud Integration , perhaps a bit cryptic ?

- about Solution Manager Diagnostic Agents 3130913 talks about Simple Diagnostics Agent for Focused Run, it is unclear if ALL DAA

cheers!A

egeytenbeek
Discoverer
abhirs1234
Discoverer

Hi,

For SAP PO and SAP LM, i think best idea to add parameter under SAP JVM via NWA(as a mitigation)

Without -D:

log4j2.formatMsgNoLookups" to “true”

matthias_hollstein
Participant
0 Kudos

SAP has released Patch to replace log4j from SAP ME

this patch is released for SAP ME 15.2 SP0 and 15.3 SP0 only.

see note: https://launchpad.support.sap.com/#/notes/3139601

When will SAP ME 15.2 SP3, 15.4 and 15.5 obtain such a patch?

regards

Matthias

matthias_hollstein
Participant
0 Kudos

Hello again

SAP has released first Patches for SAP ME SCRIPTS too, because this package has also log4j included

https://launchpad.support.sap.com/#/notes/3139601/E/diff

please check your system, if you do not use SAP ME on HANA DB

regards

Matthias

former_member210667
Participant
marco_hammel2
Participant
0 Kudos

Hi,

I also suggest to check for solutions connection to SAP using the RFC JcO library (https://support.sap.com/en/product/connectors/jco.html). The solutions by themselves using Log4J. However also JcO uses log4j for tracing.

I wasn't able to find a list of the FOSS components but as I documented here https://github.com/NO-MONKEY/log4j_use_in_sap you can see the use. Figuring out the version is tricky because Log4J is not bundled in the actual jar but as far as I understand without reversing it in the dynamic library part of the Log4J. On a *NIX like system you should be able to check what log4j library is loaded to memory with

sudo ls -l /proc/*/fd/ | grep log4
neilpayne-1
Discoverer
0 Kudos

Does anyone know if the Business Intelligence Platform: XI 3.1 is affected?

We use the crystal report 2008 java runtime engine and it appears that it uses log4j 1.2.8

Crystal have stated Business Intelligence Platform 4.x is not affected, but any news on XI 3.1?

Thank you

former_member583619
Discoverer
0 Kudos

My organization uses SAP CRM 7.0 ABAP. i don't think this uses java or apache tomcat? Any thoughts from the community?

Thanks,

Mike

farmersa
Discoverer
0 Kudos

Does anyone have the steps to replace log4j-1.2.15.jar in a BOE installation? We upgraded from 4.2 SP6 to 4.2 SP9 sometime ago, but we were unable to uninstall SP6, if this is the issue. Do we extract the log4j files from apache and replace the two within the warfiles - webapps - dswsbobje - WEB-INF - lib directory?

Doug_Munford
Participant

That is log4j version 1. It is old and unaffected by the vulnerability. hence the 1.2.15

The versions of log4j v2 BEGIN with 2.x.x. e.g 2.14.0

You will also find version 1.2.6 in (circa 2005) in various of the pieces pf the clientapi launchpad dswsbobje.

log4j v2 is not compatible with log4j v1 so I strongly suggest you don't replace anything.

See the comment from Tammy Powlas at the top of this for clarity that BO is unaffected.

settgast
Explorer
0 Kudos

For SAP PO there is now a dedicated FAQ Note how its affected and what are workarounds: https://launchpad.support.sap.com/#/notes/3131215

Code fix for SAP PO 7.5 SPS20+ will be released soon at https://launchpad.support.sap.com/#/notes/3130521

settgast
Explorer
0 Kudos

Patch now available for both log4j CVEs (CVE-2021-44228, CVE-2021-45046): https://launchpad.support.sap.com/#/notes/3131436

0 Kudos

Hello

is a decentralized EWM also affected by this?

Thanks in advance!

Best regards

Benjamin

Doug_Munford
Participant
0 Kudos
divanova1005
Explorer
0 Kudos

Hello,

Do you know if SolMan is impacted per this SAP note 3129883 ?

amontella96
Active Contributor

hi divanova1005

im quite sure SolMan abap is not impacted

Solman Java, it's likely as well, but to be safe, follow the steps as per 3129883 and you will have your confirmation

Lastly , it is unclear about DAA and I have opened an oss for this ..

cheers!A

shaun_wimpory2
Participant

I didn't find the log4j libraries in our SolMan Java stack (running the latest SPS also).

FloS
Discoverer
0 Kudos

Where - within NWA - should we set the parameter log4j2.formatMsgNoLookups to true?

0 Kudos

NWA/Configuration/Infrastructure/Java System Properties/System-VM-Parameter

aaronkmathews
Member
0 Kudos

Has only one heard if this vulnerability, CVE-2021-44228, impacts the Sybase Open Client?

Is there a link to ta KBA to clarify?

0 Kudos

See KBA3130970
looks like there's no impact on ASE SDK 16

https://launchpad.support.sap.com/#/notes/3130970

matthias_hollstein
Participant

our NWDI System running on sybase:

log4j version 1.2.4 and 1.2.15

for me it is looking relevant for CVE-2021-4104.

regards

Matthias