Skip to content

CVE-2021-44228 Log4j 2 exploitation in SAP Systems

log4j

Executive Summary

The Log4j is a Java-based logging audit framework within Apache. Apache Log4j2 2.14.1 and below are susceptible to a remote code execution (RCE) vulnerability. An attacker can leverage this vulnerability to take full control of a targeted machine. 

This module is a prerequisite for other software, which means it can be found in many products, including those from SAP SE, and is trivial to exploit. It is critical that organizations take immediate action to inventory their systems and prioritize remediation. 

  • Impacted Versions
  • Apache Log4j 2.x <= 2.15.0-rc1
  • CVSS: 10 (CRITICAL) 

Detection vs. Prevention

Microsoft’s Threat Intelligence team, which is responsible for the evaluation and threat analysis of security vulnerabilities and malware, has published an initial analysis of the Log4Shell vulnerability (CVE-2021-44228) in the Log4J logging library. There it emphasizes: “Every system with Log4J must be considered attacked meanwhile”. 

Specifically, Microsoft’s assessment states, “Because the attack vectors through which this vulnerability can be exploited are broad and fully deploying remediation in large environments will take time, we recommend defenders look for signs of post-exploitation rather than relying entirely on prevention.” 

SAP usage of Log4j

There are several ways to answer the question of using Log4j in SAP products. On the one hand, you can wait for the release of the manufacturer itself. On the other hand, there are also innovative solutions like the one from one of our partners, the SAP security experts from NO-MONKEY.  

The team of NO-MONKEY has presented in their GitHub repository (https://github.com/NO-MONKEY/log4j_use_in_sap) an impressive analysis that shows how common the use of the vulnerable component Log4j is in the SAP product portfolio. They have published an elastic search, looking for the vulnerable component in SAP’s public help pages.  

Although, the results do not try to claim completeness, it is a valuable source that proves the wide usage. 

SAP SE does not leave their customers alone! The SAP Global Security has published a document named: “SAP’s Response to CVE-2021-44228 Apache Log4j 2” 

The document is available for SAP customers with access to the SAP Support Portal via the following link: https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf  

Stay tuned and read regular updates on the Log4j zero day vulnerability - how it can affect your SAP systems, and what you can do to protect your IT infrastructure

Attack vector and observed activity

We quote from a posting on the Microsoft Security Blog. The blog writes under the headline “Nation-state activity” the following,

“MSTIC has also observed the CVE-2021-44228 vulnerability is being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives.”

Furthermore, the Microsoft Security Team and independent Security publishers confirm that the Log4J vulnerability has been successfully used to deploy ransomware.

The vast majority of traffic observed by Microsoft remains mass scanners by both attackers and security researchers.

Recommendation

At this point, we recommend assuming that an affected system has already been infiltrated. Consequently, the following applies:

  • increase your log levels to detect anomalies
  • Activate available log sources in SAP if they are not already active
  • Check SAP’s publications regularly
  • Prioritize SAP systems that communicate with untrusted networks. These should be especially monitored!
  • If you use NG Firewall i.e a FortiGate NG with an Intrusion Prevention System, update the IPS signature

Using SecurityBridge Threat Detection, you already have a great foundation to detect anomaly behavior within your SAP Application Stack. Our experts recommend paying special attention to any events that signals:

  • Privilege escalation
  • Data exfiltration
  • Remote activities (RCE, remote function calls)

Use SecurityBridge Security & Compliance Monitor to understand the overall security posture and act in accordance with the classification of data processed by the individual instance.

Posted by

Till Pleyer

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Webinar: Why is SAP Security Patching not like Windows Updates?

The webinar, taking place on demand is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.

SecurityBridge at the DSAG22: How to protect SAP systems during these times

Together with its partner, Fortinet, the SAP Security specialist company will present how to close the gap between SAP and network security in Leipzig.
SAP Security Services
SAP Cybersecurity- Security News
Many companies have recognized the need for SAP cybersecurity, but many have also realized that they cannot accomplish this alone. There are many reasons for this. It can be due to the internal teams' workload or due to the employee's level of knowledge. However, there is a solution that neither burdens your internal staff nor demands additional knowledge. A specialized managed SAP Security Service allows you to harden mission-critical systems, detect and promptly counteract non-compliance, and implement monitoring with accurate anomaly detection.
Patch Management
SAP security provider SecurityBridge—now operating in the U.S.—today announced the full integration of its SAP Security Platform with the Microsoft Sentinel cloud-native Security Information and Event Manager (SIEM) platform and its membership to MISA. SecurityBridge was nominated to MISA because of the integration of its SAP Controller to the Microsoft Sentinel dashboard. SecurityBridge is a Smart Data Adapter that significantly simplifies security monitoring of critical and highly specific business applications.
Angriffserkennung für SAP
SAP Cybersecurity- SAP Identity and Authorization- SAP Threat Monitoring- Security News
Viele unserer Leserinnen und Leser erinnern sich noch an den 25. Mai 2018, Stichtag der bindenden Einführung der Datenschutzgrundverordnung, kurz DSGVO. Verstöße gegen die neue Regelung können seitdem zu drakonischen Strafen führen. Nun steht, zumindest für diejenigen Unternehmen, die zur kritischen Infrastruktur (KRITIS) von Deutschland zählen, ein ähnlicher Termin ins Haus. Am 1. Mai 2023 müssen betroffene Unternehmen ein System zur Angriffserkennung eingeführt haben.
SAP Cybersecurity Risks
SAP Cybersecurity- SAP Security Framework- Security News
Recently, we gave an insight into the known SAP attackers in our blog. Of course, it can already be deduced from this that there are internal and external SAP attackers. That is why today, we want to look at this from an SAP cybersecurity risk perspective.