Advisory
A note with CVSS 8.0 for component LOD-CRM-GW-LN was released by SAP on 23.12.2021. The correction/advisory 3132074 was described with "[CVE-2021-44228] Code Injection vulnerability in Cloud for Customer Lotus Notes PlugIn" and affects the system type SAP Cloud for Customer.
A workaround exists, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process.
The vulnerability addressed is code injection within SAP Cloud for Customer.
Risk specification
The component log4j allows an attacker to execute malicious code when he is in control of log messages or message parameter.Solution
The application's dependencies were updated to a newer release that no longer contains these log4j vulnerabilities. Although an alternative solution exists, it is advisable to apply the correction! This is the workaround, which was suggested by the SAP security experts: "If possible, set the java parameter log4j2.formatMsgNoLookups=true".
The advisory is valid for
- COD_LOTUS_ADDIN 2021
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Cloud Foundry
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services On Premise Edition
