- December 15, 2021
Log4j Vulnerability
Due to the high level of uncertainty and numerous inquiries about the current security situation surrounding the Apache Log4j security vulnerabilities, we have decided to summarize all relevant information and chronological reference in context with SAP for you on this page. We will update this page regularly, so make sure you don’t miss out, but bookmark this page.
RECENT UPDATES
18th January 2022
[SAP Launchpad Support] Note 3142773 – Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Commerce. The SAP Security Note describes a workaround to mitigate the Log4Shell risk.
https://launchpad.support.sap.com/#/notes/3142773
(login required)
18th January 2022
[SAP Launchpad Support] Note 3130920 – Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Data Intelligence 3 (on-premise). The SAP Security Note describes a workaround to mitigate the Log4Shell risk.
https://launchpad.support.sap.com/#/notes/3130920
(login required)
24th December 2021
[SAP Launchpad Support] Central Security Note for Apache Log4j 2 component has been updated. The Note summarizes the Security Notes, and SAP Notes/KBA’s describing a workaround.
https://launchpad.support.sap.com/#/notes/3131047
(login required)
23rd December 2021
[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component KM-WPB-MGR. Note 3132964 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Enable Now Manager
SAP Launchpad Support
(login required)
22nd December 2021
[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-XS-ADM. Note 3132822 – [CVE-2021-45046] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit
SAP Launchpad Support
(login required)
22nd December 2021
[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-CP-XF-KYMA. Note 3132744 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Kyma
SAP Launchpad Support
(login required)
21th December 2021
(UPDATED, December 21, 2021, 2.25pm EST) SAP customer message: “SAP’s Response to CVE-2021-44228 Apache Log4j 2” published Support Portal
SAP Launchpad Support
(Login required)
21st December 2021
[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-NEO-SVC-IOT. Note 3132922 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Internet of Things Edge Platform
SAP Launchpad Support
(login required)
21st December 2021
[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-CP-CF-RT. Note 3130578 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Cloud Foundry
SAP Launchpad Support
(login required)
20th December 2021
[SAP Launchpad Support] A priority ‘High’ SAP Note/KBA has just been released on component IS-PMED-HPH. Note 3131824 – [CVE-2021-44228] Log4j Vulnerability in Connected Health Platform 2.0 – Fhirserver
SAP Launchpad Support
(login required)
20th December 2021
[Info] You have probably already consulted various information about Log4Shell. This video explains the background and history of the Log4Shell vulnerability.
17th December 2021
[SecurityBridge Platform] A new version of the DEFAULT detection signatures was published with new settings for Listener 1082 – Suspicious web service calls [KB, login required] and Listener 1086 – Suspicious HTTP calls (avail. from v6.01.0) [KB, login requried], which are capable to detect the Log4Shell exploitation.
The latest signature can be downloaded from SecurityBridge Support Portal: [KB, login requried].
17th December 2021
[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-SEC-ETD. Note 3131272 – CVE-2021-44228, CVE-2021-45046: Apache Log4j vulnerabilities in SAP Enterprise Threat Detection and SAP Enterprise Threat Detection Log Collector
SAP Launchpad Support
(login required)
17th December 2021
[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-XS-RT. Note 3130698 – Remediating log4j CVE-2021-44228 vulnerability in XS Advanced Platform and applications
SAP Launchpad Support
(login required)
16th December 2021
[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-XI-CON-JWS. Note 3130521 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration
SAP Launchpad Support
(login required)
16th December 2021
(UPDATED, December 16, 2021, 4.20pm EST) SAP customer message: “SAP’s Response to CVE-2021-44228 Apache Log4j 2” published Support Portal
SAP Launchpad Support
(Login required)
16th December 2021
[Fortinet] Securing SAP Landscapes against CVE-2021-44228 (Log4j, Log4j2 or Log4Shell) (fortinet.com). SecurityBridge and FortiGate, can detect and block the log4j attacks against SAP Systems and display the exploitation within SecurityBridge Threat Detection to correlate with internal SAP alerts and events.
16th December 2021
[SecurityBridge Platform] A new version of the Threat Detection signature template was published. The signature contains new settings for L1086 – Suspicious HTTP calls [KB]. Using the new signatures it will be possible to detect the Log4Shell attack patterns.
Ensure to activate automatic updates as described here Signature Updates | Automatic-updates [KB].
Alternatively, upload the latest version manually into your Controller system, see Signature Updates | Latest-Version [KB].
16th December 2021
[National Cyber Security Centrum] Good Github page from the National Cyber Security Centrum with indicators of compromise, an overview for Log4j scanning software, and an overview of Log4j related software.
16th December 2021
[SAP Launchpad Support] A new priority ‘Very High’ SAP Note/KBA has just been released on component XX-INT-SR. SAP recommends that you review it at your earliest convenience.
SAP Launchpad Support
(login required)
15th December 2021
[SAP Blog] Article that describes how you can check your HANA XSA systems and implement the mitigation.
(updated 2021-12-15 13:30 CET)
15th December 2021
[NIST] JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. This vulnerability is currently awaiting analysis.
15th December 2021
(UPDATED, Version 21) CVE-2021-44228 – AS Java Core Components’ impact for Log4j vulnerability
SAP Launchpad Support
(login required)
15th December 2021
(UPDATED, Version 17) SAP Business Objects impacted for log4j vulnerability
SAP Launchpad Support
(login required)
14th December 2021
## Internal security assessment ##
All internal and customer facing components have been scanned with the result that no log4j vulnerability has been found.
14th December 2021
Found on Lunasec.io go to the full article:
Affected Apache log4j Versions
Almost all versions of log4j version 2 are affected.
2.0-beta9 <= Apache log4j <= 2.14.1
As of Tuesday, Dec 14, version 2.15.0 was found to still have a possible vulnerability in some apps. We recommend updating to 2.16.0 which disables JNDI and completely removes %m{lookups}.
Version 1 of log4j is vulnerable to other RCE attacks, and if you’re using it you need to migrate to 2.16.0.
14th December 2021
Our Partner NO-MONKEY has searched for the string Log4j on all pages of help.sap.com and releases the results on their GitHub Repository
14th December 2021
SAP Business Objects impacted for log4j vulnerability
SAP Launchpad Support
(login required)
14th December 2021
SAP Security Patch Day December:
None of the released security patches contain fixes for vulnerable components impacted log4j 2.
14th December 2021
SAP customer message: “SAP’s Response to CVE-2021-44228 Apache Log4j 2” published Support Portal
(Login required)
13th December 2021
SAP HANA XS Advanced Platform potentially impacted for log4j – CVE-2021-44228
SAP Launchpad Support
(Login required)
13th December 2021
Further information on the Apache Log4j Security Vulnerabilities
13th December 2021
German Information security bureau warns about critical vulnerability log4j.
12th December 2021
Switzerland CERT issues warning: Zero-Day Exploit Targeting Popular Java Library Log4j
10th December 2021
CERT-FR published its first notice under CERTFR-2021-ALE-022 on 10/12/2021
10th December 2021
CISA (US-Cert) releases a severe warning about Log4j:
Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.