Log4j and Sage 100 vulnerability?

Posted By Mas90Geek over 2 years ago

Last week a proof of concept for a vulnerability around Log4j was distributed on the Internet. New zero-day exploit for Log4j Java library is an enterprise nightmare (bleepingcomputer.com)

Almost immediately bad actors started trying to exploit the vulnerability. Hackers start pushing malware in worldwide Log4Shell attacks (bleepingcomputer.com)

Is the Sage 100 server vulnerable to the Log4j vulnerability? What impact would this have on Sage 100?

Top Replies

Parents

zip over 2 years ago

I'm not sure but someone just mentioned that Crystal Reports employs the Apache Log4J application (https://answers.sap.com/questions/13545419/log4j-security-vulnerability-with-sap-crystal-repo.html).
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
zip over 2 years ago in reply to zip

Actually just noticed on this SAP forum thread (same one above), specifically the post near the bottom by Don (SAP employee), this does not impact Crystal Reports – i.e. “We've discussed this over the weekend and it does not impact CR or CR for VS or BOE runtime at all. Yes our version is out of date and we are working on updating it but there is no impact to .NET runtime since it's not used. So you can ignore the the warning.”

Thanks.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
zip over 2 years ago in reply to zip
New post in the SAP thread above:

Here is the official answer from SAP (updated 13/12/2021 Ver. 3)

SAP BusinessObjects BI Platform is not impacted by the CVE-2021-44228

The impacted component is the main JNDI package. JNDI classes and methods are not used in the SAP BusinessObjects BI Platform.

Further security / mitigation against Remote Code Execution is available at the Java level in 8u121 and 8u191, therefore we recommend customers to be on a version of SAP BusinessObjects BI Platform that packages at least a version > 8u121. Therefore we recommend the minimum version that should be applied is 4.2 SP05. For more information about the versions of SAPJVM (and which Oracle JVM version they are based on) supplied per BI version, see:
2914488 - List of Bundled SAP JVM versions shipped with selected Patches of SAP BusinessObjects Business Intelligence Platform 4.x

see KBA 3129956 - CVE-2021-44228 - BusinessObjects impact for Log4j vulnerability
Cancel
Vote Up +1 Vote Down

Sign in to reply

Cancel
rclowe over 2 years ago in reply to zip

Thanks zip - apparently I am no longer an "S-User" SAP person, only a "P-User". Not sure when and how that happened but would it be informative to get a PDF copy of that KBA?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
zip over 2 years ago in reply to rclowe

Sorry, I don't have access to it either.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
rclowe over 2 years ago in reply to zip

I had a brief stint with an SAP Business One reseller, and at that point I was pretty sure I had S-User credentials to the SAP site(s). Maybe jcnichols has the ability to get onto that site. Amazing how protective they are of it, or maybe I'm just missing something.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

Reply

rclowe over 2 years ago in reply to zip

I had a brief stint with an SAP Business One reseller, and at that point I was pretty sure I had S-User credentials to the SAP site(s). Maybe jcnichols has the ability to get onto that site. Amazing how protective they are of it, or maybe I'm just missing something.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

Children

jcnichols over 2 years ago in reply to rclowe

Hi Cullen, I'm unable to attach a PDF, so the item below is a screen shot, click and then click the Zoom In button upper left. Thanks John
Cancel
Vote Up +2 Vote Down

Sign in to reply

Cancel

Sage 100

Log4j and Sage 100 vulnerability?

Top Replies

COMMUNITY

COMPANY

PARTNERS

SUPPORT & TRAINING