SAP Security Patch Day – December 2021
Chapters
Share Article
Today is SAP Security Patch Day! For the last time in 2021, SAP released monthly security updates. Currently, the IT world is in turmoil as earlier this week various information security authorities have drawn attention to a widespread vulnerability called log4j.
Log4j - Zero-Day vulnerability for SAP?
From the BSI to the US-CERT, authorities issued warnings for log4j, a high severity zero-day vulnerability.
SAP customers are worried and are wondering to what extent the critical business applications of SAP SE are affected. The extent of the spread of the vulnerability became clear, even the popular open-source application Apache is affected.
The news about the new vulnerability certainly hit SAP like a bomb. Many customers immediately inquired and SAP is responding promptly. In the meantime, more than 200 Notes (requires login) have been published by SAP, and many of these notes confirm that specific products are not affected.
SAP did not create all log4j notes in the category “security”. This means that the December release of the SAP Security Patch Day does not list all notes that contain information about the log4j – Zero-Day Vulnerability within SAP products.
The list below shows a few product-specific notes, but SAP may release further notes at any time:
– SAP HANA Advanced Version XS (note 3130698) and
– SAP CC PoS and SAP CC manager – versions 2.0 FP09, 2.0 FP10, 2.0 FP11 PL06 (or lower) and 2.0 FP12 PL04 (or lower) are affected (note 3130499)
– SAP Commerce Platform (All versions) Apache on-premise (note 3130967)
– Database related, Db2 LUW impacted by log4j vulnerability (note 3130882)
Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.
Summary by Severity
The December release contains a total of 15 patches for the following severities:
Severity | Number |
---|---|
Hot News
|
5 |
High
|
5 |
Medium
|
5 |