x Want to participate? Join the group to interact
Options
  • Replies 11 replies
  • Subscribers 93 subscribers
  • Views 10637 views
  • Users 0 members are here
Browse Forums
Announcements
293
topics
370
replies
Business Object Interface
1k
topics
7k
replies
Core Financial Modules
2k
topics
8k
replies
Customization and Productivity
3k
topics
12k
replies
Distribution, Manufacturing, and Applications
2k
topics
7k
replies
General Discussion
1k
topics
3k
replies
Partner Cloud
45
topics
92
replies
Payroll, Time Tracking, and Job Cost
777
topics
1k
replies
Reporting and Analytics
962
topics
3k
replies
Sage CRM for Sage 100
164
topics
357
replies
Technical and Installation
2k
topics
9k
replies
Year-end Forum
89
topics
237
replies
Mas90Geek

Log4j and Sage 100 vulnerability?

Posted By

Last week a proof of concept for a vulnerability around Log4j was distributed on the Internet.  New zero-day exploit for Log4j Java library is an enterprise nightmare (bleepingcomputer.com) 

Almost immediately bad actors started trying to exploit the vulnerability.  Hackers start pushing malware in worldwide Log4Shell attacks (bleepingcomputer.com) 

Is the Sage 100 server vulnerable to the Log4j vulnerability?  What impact would this have on Sage 100?

Parents

  • I'm not sure but someone just mentioned that Crystal Reports employs the Apache Log4J application (https://answers.sap.com/questions/13545419/log4j-security-vulnerability-with-sap-crystal-repo.html).

  • in reply to zip

    Actually just noticed on this SAP forum thread (same one above), specifically the post near the bottom by Don (SAP employee), this does not impact Crystal Reports – i.e. “We've discussed this over the weekend and it does not impact CR or CR for VS or BOE runtime at all.  Yes our version is out of date and we are working on updating it but there is no impact to .NET runtime since it's not used.  So you can ignore the the warning.”

     

    Thanks.

  • in reply to zip

    New post in the SAP thread above:  

    Here is the official answer from SAP (updated 13/12/2021 Ver. 3)

    • SAP BusinessObjects BI Platform is not impacted by the CVE-2021-44228
    • The impacted component is the main JNDI package. JNDI classes and methods are not used in the SAP BusinessObjects BI Platform.
    • Further security / mitigation against Remote Code Execution is available at the Java level in 8u121 and 8u191, therefore we recommend customers to be on a version of SAP BusinessObjects BI Platform that packages at least a version > 8u121. Therefore we recommend the minimum version that should be applied is 4.2 SP05. For more information about the versions of SAPJVM (and which Oracle JVM version they are based on) supplied per BI version, see:
      2914488 - List of Bundled SAP JVM versions shipped with selected Patches of SAP BusinessObjects Business Intelligence Platform 4.x

    see KBA 3129956 - CVE-2021-44228 - BusinessObjects impact for Log4j vulnerability

  • in reply to zip

    Thanks - apparently I am no longer an "S-User" SAP person, only a "P-User". Not sure when and how that happened but would it be informative to get a PDF copy of that KBA?

Reply Children

*Community Hub is the new name for Sage City