Fixed Assets and Sage 100 Using Crystal Reports with Apache log4j Vulnerability

We have a client using Fixed Assets 22.1.0.0 and Sage 100 standard 2022. It has come to our attention that both software is bundled with Crystal Reports. We can confirm that Crystal Reports is utilizing the following Apache log4j versions with Fixed Assets: tp.apache.log4j.boe-1.2.6_sap.1-corenu, SAP BusinessObjects tp.apache.log4j.bundle-1.2.6_sap.1- core-nu SAP BusinessObjects tp.apache.log4j.classes-1.2.6_sap.1- core-nu SAP BusinessObjects tp.apache.log4j.nteventlogappender1.2.6_sap.1-core-32, SAP BusinessObjects tp.apache.log4j-1.2.6_sap.1-core-nu.

Sage 100: tp.apache.log4j.bundle-1.2.6_sap.1- core-nu, SAP BusinessObjects tp.apache.log4j.nteventlogappender1.2.6_sap.1-core-32, SAP BusinessObjects tp.apache.log4j-1.2.6_sap.1-core-nu, SAP BusinessObjects tp.datadirect.cpp-6.0-core-32.

I know SAP and Sage claim that their software is not vulnerable to the Apache Log4j RCE exploits but it looks like an external vulnerability scanner (Tenable Nessus) is able to detect these vulnerable versions from outside the network. Apache Log4j version 1.2.6 is deprecated. Can we remove Apache log4j 1.2.6 without breaking Sage 100 Standard and fixed assets?

Parents
  • 0

    Hello,

    Per SAP 

    "SAP BusinessObjects BI Platform is not impacted by CVE-2021-44228, CVE-2021- 45046 & CVE-2021-45105, CVE-2021-44832".

    Crystal Reports is an optional install with Sage 100, the install is not required to access or use Sage 100.

    Per SAP removing Apache log4j components will cause a re-install of Crystal Reports. (this has not been verified).  Awaiting an answer from the Fixed Assets team.

    John Nichols

    Sage

Reply
  • 0

    Hello,

    Per SAP 

    "SAP BusinessObjects BI Platform is not impacted by CVE-2021-44228, CVE-2021- 45046 & CVE-2021-45105, CVE-2021-44832".

    Crystal Reports is an optional install with Sage 100, the install is not required to access or use Sage 100.

    Per SAP removing Apache log4j components will cause a re-install of Crystal Reports. (this has not been verified).  Awaiting an answer from the Fixed Assets team.

    John Nichols

    Sage

Children