x Want to participate? Join the group to interact
Options
  • Replies 11 replies
  • Subscribers 93 subscribers
  • Views 10638 views
  • Users 0 members are here
Browse Forums
Announcements
293
topics
370
replies
Business Object Interface
1k
topics
7k
replies
Core Financial Modules
2k
topics
8k
replies
Customization and Productivity
3k
topics
12k
replies
Distribution, Manufacturing, and Applications
2k
topics
7k
replies
General Discussion
1k
topics
3k
replies
Partner Cloud
45
topics
92
replies
Payroll, Time Tracking, and Job Cost
777
topics
1k
replies
Reporting and Analytics
962
topics
3k
replies
Sage CRM for Sage 100
164
topics
357
replies
Technical and Installation
2k
topics
9k
replies
Year-end Forum
89
topics
237
replies
Mas90Geek

Log4j and Sage 100 vulnerability?

Posted By

Last week a proof of concept for a vulnerability around Log4j was distributed on the Internet.  New zero-day exploit for Log4j Java library is an enterprise nightmare (bleepingcomputer.com) 

Almost immediately bad actors started trying to exploit the vulnerability.  Hackers start pushing malware in worldwide Log4Shell attacks (bleepingcomputer.com) 

Is the Sage 100 server vulnerable to the Log4j vulnerability?  What impact would this have on Sage 100?

Parents

  • We're getting the same questions from customer IT, as news of Log4j spreads. 

    Can Sage prepare a KB article we can share about how Sage 100 is (or hopefully isn't) affected by this vulnerability?

Reply

  • We're getting the same questions from customer IT, as news of Log4j spreads. 

    Can Sage prepare a KB article we can share about how Sage 100 is (or hopefully isn't) affected by this vulnerability?

Children
  • in reply to Kevin M

    Here's the only items I located in the KB:

       

  • in reply to zip

    Agree 100% with Kevin. It would be good at this point to have a KB specific for Sage 100.

    Here is an email I received last Saturday (12/11) from ECI (which now owns KnowledgeSync), titled "Important Security Notification"

    What Happened:

    On December 9, 2021 a security vulnerability in an open source library called Log4J was made public. This library is in wide use within the global software community and is used to log events in the normal use of software, most often in Java- based applications.

    If exploited, this vulnerability allows remote code execution on vulnerable servers, giving an attacker the ability to import malware that allows them to take control of targeted systems.

    This vulnerability is not unique to ECI’s software and could be present in other software that you use in your business as well. We encourage your internal team to examine the impact of this security issue on other vendor software you may be using.

    ECI’s Response:  

    Our Security, Cloud Operations, and Product Development teams have worked diligently over the last 24 hours to assess and mitigate our use of Log4j. We have found very few instances of our direct use of Log4j and have remediated these vulnerable versions within our Cloud Offerings.

    We continue to monitor the situation and will keep you apprised of any important updates.

    How Does this Affect You:

    You do not need to take any action at this time.  In most cases, our customers’ use of ECI software products is unlikely to be materially affected by this vulnerability. For ECI customers using our cloud offering, our security team has already identified and applied fixes.

    There is no need to contact our support organization. If you are directly affected, we will proactively contact you with further information.​

    ECI takes the security of our customers’ software very seriously. We are partners in your success and will continue to communicate any new information as it develops.
     

    Thank you,
    ECI Support

  • in reply to Kevin M

    KB article re: Sage 100: 

    What impact does the Log4j vulnerability have on Sage 100?
    Created on 12-13-2021 | Last modified on 12-14-2021
    Summary
    What impact does the Log4j vulnerability have on Sage 100?
    Is the Sage 100 server vulnerable to the Log4j vulnerability?
    Resolution
      • Sage Engineering has been made aware of the Log4j vulnerability on Friday Dec 10 and is currently researching if there is any affect for Sage 100. While it's unlikely Sage 100 is affected, Sage Engineering is currently researching this and will provide an update when the research is complete.
    Keywords: 
    Product: Sage 100
    Solution ID: 113754
    Published on: 12-14-2021
    Applies to: Download and installation >  Installation

*Community Hub is the new name for Sage City