Advisory
A note with CVSS 8.0 for component IS-PMED-HPH was released by SAP on 20.12.2021. The correction/advisory 3131824 was described with "[CVE-2021-44228] Log4j Vulnerability in Connected Health Platform 2.0 - Fhirserver" and affects the system type SAP Connected Health platform.
A workaround exists, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process.
The vulnerability addressed is code injection within SAP Connected Health platform.
Risk specification
The component log4j allows an attacker to execute malicious code when he is in control of log messages or message parameter.Solution
The application's dependencies were updated to a newer release that no longer contains these log4j vulnerabilities. Although an alternative solution exists, it is advisable to apply the correction! This is the workaround, which was suggested by the SAP security experts: "If possible, set the java parameter log4j2.formatMsgNoLookups=true".
The advisory is valid for
- XSAC_CHP_FHIR 1
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Cloud Foundry
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services On Premise Edition
