Advisory
On 20.12.2021 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Landscape Management (LaMa).
SAP Note 3132198 addresses "[CVE-2019-17571] Code Injection vulnerability in SAP Landscape Management" to prevent code injection with a hot news risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process, the team suggests.
Risk specification
The component log4j allows an attacker to execute malicious code when he is in control of log messages or message parameter.Solution
The application's dependencies were updated to a newer release that no longer contains these log4j vulnerabilities. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "If possible, set the java parameter log4j2.formatMsgNoLookups=true".
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Cloud Foundry
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services On Premise Edition