Advisory
On 15.12.2021 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Any.
SAP Note 3131047 addresses "[CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component" to prevent code injection with a hot news risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as ./., the team suggests.
Risk specification
The component log4j allows an attacker to execute malicious code when he is in control of log messages or message parameter.Solution
The application's dependencies were updated to a newer release that no longer contains these log4j vulnerabilities. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "Set the java parameter log4j2.formatMsgNoLookups=true for all affected systems.".
The advisory is valid for
- all
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Cloud Foundry
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services On Premise Edition