Skip to content

Log4j Vulnerability

SAP Log4J

Due to the high level of uncertainty and numerous inquiries about the current security situation surrounding the Apache Log4j security vulnerabilities, we have decided to summarize all relevant information and chronological reference in context with SAP for you on this page. We will update this page regularly, so make sure you don’t miss out, but bookmark this page.

RECENT UPDATES

18th January 2022

[SAP Launchpad Support] Note 3142773 – Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Commerce. The SAP Security Note describes a workaround to mitigate the Log4Shell risk. 

https://launchpad.support.sap.com/#/notes/3142773
(login required)

18th January 2022

[SAP Launchpad Support] Note 3130920 – Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Data Intelligence 3 (on-premise). The SAP Security Note describes a workaround to mitigate the Log4Shell risk. 

https://launchpad.support.sap.com/#/notes/3130920
(login required)

24th December 2021

[SAP Launchpad Support] Central Security Note for Apache Log4j 2 component has been updated. The Note summarizes the Security Notes, and SAP Notes/KBA’s describing a workaround.

https://launchpad.support.sap.com/#/notes/3131047
(login required)

24th December 2021

23rd December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component KM-WPB-MGR. Note 3132964 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Enable Now Manager

SAP Launchpad Support
(login required)

22nd December 2021

[SecurityBridge Platform] Version 6.02 introduces dedicated controls to check for Log4Shell vulnerabilities. Customers can find additional information on KB-Page (login required) for Compliance Check 5060 with use-case for Log4Shell [KB, login required].

22nd December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-XS-ADM. Note 3132822 – [CVE-2021-45046] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit

SAP Launchpad Support 
(login required)

22nd December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-CP-XF-KYMA. Note 3132744 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Kyma

SAP Launchpad Support 
(login required)

21th December 2021

(UPDATED, December 21, 2021, 2.25pm EST) SAP customer message: “SAP’s Response to CVE-2021-44228 Apache Log4j 2” published Support Portal

SAP Launchpad Support 
(Login required)

21st December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-NEO-SVC-IOT. Note 3132922 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Internet of Things Edge Platform

SAP Launchpad Support 
(login required)

21st December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-CP-CF-RT. Note 3130578 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Cloud Foundry

SAP Launchpad Support 
(login required)

20th December 2021

[SAP Launchpad Support] A priority ‘High’ SAP Note/KBA has just been released on component IS-PMED-HPH. Note 3131824 – [CVE-2021-44228] Log4j Vulnerability in Connected Health Platform 2.0 – Fhirserver

SAP Launchpad Support 
(login required)

20th December 2021

[Info] You have probably already consulted various information about Log4Shell. This video explains the background and history of the Log4Shell vulnerability.

17th December 2021

[SecurityBridge Platform] A new version of the DEFAULT detection signatures was published with new settings for Listener 1082 – Suspicious web service calls [KB, login required] and Listener 1086 – Suspicious HTTP calls (avail. from v6.01.0) [KB, login requried], which are capable to detect the Log4Shell exploitation.   

The latest signature can be downloaded from SecurityBridge Support Portal: [KB, login requried].

17th December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-SEC-ETD. Note 3131272 – CVE-2021-44228, CVE-2021-45046: Apache Log4j vulnerabilities in SAP Enterprise Threat Detection and SAP Enterprise Threat Detection Log Collector

SAP Launchpad Support 
(login required)

17th December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-XS-RT. Note 3130698 – Remediating log4j CVE-2021-44228 vulnerability in XS Advanced Platform and applications

SAP Launchpad Support 
(login required)

16th December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-XI-CON-JWS. Note 3130521 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration

SAP Launchpad Support 
(login required)

16th December 2021

(UPDATED, December 16, 2021, 4.20pm EST) SAP customer message: “SAP’s Response to CVE-2021-44228 Apache Log4j 2” published Support Portal

SAP Launchpad Support 
(Login required)

16th December 2021

[Fortinet] Securing SAP Landscapes against CVE-2021-44228 (Log4j, Log4j2 or Log4Shell) (fortinet.com).  SecurityBridge and FortiGate, can detect and block the log4j attacks against SAP Systems and display the exploitation within SecurityBridge Threat Detection to correlate with internal SAP alerts and events.

16th December 2021

[SecurityBridge Platform] A new version of the Threat Detection signature template was published. The signature contains new settings for L1086 – Suspicious HTTP calls [KB]. Using the new signatures it will be possible to detect the Log4Shell attack patterns.
Ensure to activate automatic updates as described here Signature Updates | Automatic-updates [KB].
Alternatively, upload the latest version manually into your Controller system, see Signature Updates | Latest-Version [KB].

16th December 2021

[National Cyber Security Centrum] Good Github page from the National Cyber Security Centrum with indicators of compromise, an overview for Log4j scanning software, and an overview of Log4j related software.

16th December 2021

[SAP Launchpad Support] A new priority ‘Very High’ SAP Note/KBA has just been released on component XX-INT-SR. SAP recommends that you review it at your earliest convenience.

SAP Launchpad Support 
(login required)

15th December 2021

[SAP Blog] Article that describes how you can check your HANA XSA systems and implement the mitigation. 

(updated 2021-12-15 13:30 CET)

15th December 2021

[NIST] JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. This vulnerability is currently awaiting analysis.

15th December 2021

(UPDATED, Version 21) CVE-2021-44228 – AS Java Core Components’ impact for Log4j vulnerability

SAP Launchpad Support
(login required)

15th December 2021

(UPDATED, Version 17) SAP Business Objects impacted for log4j vulnerability
SAP Launchpad Support 
(login required)

14th December 2021

## Internal security assessment ##

All internal and customer facing components have been scanned with the result that no log4j vulnerability has been found. 

14th December 2021

Found on Lunasec.io go to the full article:
Affected Apache log4j Versions

log4j v2

Almost all versions of log4j version 2 are affected.

2.0-beta9 <= Apache log4j <= 2.14.1

LIMITED VULNERABILITY IN 2.15.0
As of Tuesday, Dec 14, version 2.15.0 was found to still have a possible vulnerability in some apps. We recommend updating to 2.16.0 which disables JNDI and completely removes %m{lookups}.
 
log4j v1
Version 1 of log4j is vulnerable to other RCE attacks, and if you’re using it you need to migrate to 2.16.0.

14th December 2021

Our Partner NO-MONKEY has searched for the string Log4j on all pages of help.sap.com and releases the results on their GitHub Repository

 

14th December 2021

SAP Business Objects impacted for log4j vulnerability
SAP Launchpad Support 
(login required)

14th December 2021

SAP Security Patch Day December: 

None of the released security patches contain fixes for vulnerable components impacted log4j 2.

14th December 2021

SAP customer message: “SAP’s Response to CVE-2021-44228 Apache Log4j 2” published Support Portal


(Login required)

13th December 2021

SAP HANA XS Advanced Platform potentially impacted for log4j – CVE-2021-44228

SAP Launchpad Support 
(Login required)

13th December 2021

Further information on the Apache Log4j Security Vulnerabilities

 

13th December 2021

German Information security bureau warns about critical vulnerability log4j. 

12th December 2021

Switzerland CERT issues warning: Zero-Day Exploit Targeting Popular Java Library Log4j

10th December 2021

CERT-FR published its first notice under CERTFR-2021-ALE-022 on 10/12/2021

10th December 2021

CISA (US-Cert) releases a severe warning about Log4j:

Posted by

Till Pleyer

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Webcast – Protect your SAP from Ransomware Attacks

We cordially invite you to participate in our webcast on April 10th at 14:30 CET. This exclusive event is a joint initiative of SecurityBridge in cooperation with BowBridge and Log2 and will allow you to listen to exciting insights from top-class experts.

Join our 4th #CrossTheBridge Cycling Event!

We are thrilled to invite you to our third annual #CrossTheBridge Cycling Event that will take place on Tuesday, June 18.