Fixed Assets and Sage 100 Using Crystal Reports with Apache log4j Vulnerability

Posted By edelbd6c 3 months ago

We have a client using Fixed Assets 22.1.0.0 and Sage 100 standard 2022. It has come to our attention that both software is bundled with Crystal Reports. We can confirm that Crystal Reports is utilizing the following Apache log4j versions with Fixed Assets: tp.apache.log4j.boe-1.2.6_sap.1-corenu, SAP BusinessObjects tp.apache.log4j.bundle-1.2.6_sap.1- core-nu SAP BusinessObjects tp.apache.log4j.classes-1.2.6_sap.1- core-nu SAP BusinessObjects tp.apache.log4j.nteventlogappender1.2.6_sap.1-core-32, SAP BusinessObjects tp.apache.log4j-1.2.6_sap.1-core-nu.

Sage 100: tp.apache.log4j.bundle-1.2.6_sap.1- core-nu, SAP BusinessObjects tp.apache.log4j.nteventlogappender1.2.6_sap.1-core-32, SAP BusinessObjects tp.apache.log4j-1.2.6_sap.1-core-nu, SAP BusinessObjects tp.datadirect.cpp-6.0-core-32.

I know SAP and Sage claim that their software is not vulnerable to the Apache Log4j RCE exploits but it looks like an external vulnerability scanner (Tenable Nessus) is able to detect these vulnerable versions from outside the network. Apache Log4j version 1.2.6 is deprecated. Can we remove Apache log4j 1.2.6 without breaking Sage 100 Standard and fixed assets?

0 jcnichols 3 months ago

Hello,

Per SAP

"SAP BusinessObjects BI Platform is not impacted by CVE-2021-44228, CVE-2021- 45046 & CVE-2021-45105, CVE-2021-44832".

Crystal Reports is an optional install with Sage 100, the install is not required to access or use Sage 100.

Per SAP removing Apache log4j components will cause a re-install of Crystal Reports. (this has not been verified). Awaiting an answer from the Fixed Assets team.

John Nichols

Sage
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 edelbd6c 3 months ago in reply to jcnichols

Thank you for the information. SAP is ignoring the fact that Log4j version 1 reached end of life on August 2015 and is no longer getting patched, they are still using it with Crystal Reports 2016. Log4j version 1 is plagued by the following vulnerabilities: CVE-2019-17571, CVE-2020-9488, CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307. I will check and see if our client is utilizing Crystal Reports for Sage 100. Thank you for checking Fixed Assets. They are also using HRMS and the client states the following "I also use a SAGE HRMS for my payroll functions that I have custom crystal reports in".
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 jcnichols 3 months ago in reply to edelbd6c

Hi, There is a Crystal Reports 2020 version available for Sage 100 and Sage Fixed Assets.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 edelbd6c 2 months ago in reply to jcnichols

Good Morning, just wondering if you found out whether or not Crystal Reports 2020 is using Apache Log4j? I tried reaching out myself but we do not have a support contract with SAP.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Sage 100

Fixed Assets and Sage 100 Using Crystal Reports with Apache log4j Vulnerability

COMMUNITY

COMPANY

PARTNERS

SUPPORT & TRAINING