x Want to participate? Join the group to interact
Options
  • State Not Answered
  • Replies 4 replies
  • Subscribers 89 subscribers
  • Views 442 views
  • Users 0 members are here
Browse Forums
Announcements
293
topics
370
replies
Business Object Interface
1k
topics
7k
replies
Core Financial Modules
2k
topics
8k
replies
Customization and Productivity
3k
topics
12k
replies
Distribution, Manufacturing, and Applications
2k
topics
7k
replies
General Discussion
1k
topics
3k
replies
Partner Cloud
47
topics
95
replies
Payroll, Time Tracking, and Job Cost
777
topics
1k
replies
Reporting and Analytics
965
topics
3k
replies
Sage CRM for Sage 100
164
topics
357
replies
Technical and Installation
2k
topics
9k
replies
Year-end Forum
89
topics
237
replies
edelbd6c

Fixed Assets and Sage 100 Using Crystal Reports with Apache log4j Vulnerability

Posted By

We have a client using Fixed Assets 22.1.0.0 and Sage 100 standard 2022. It has come to our attention that both software is bundled with Crystal Reports. We can confirm that Crystal Reports is utilizing the following Apache log4j versions with Fixed Assets: tp.apache.log4j.boe-1.2.6_sap.1-corenu, SAP BusinessObjects tp.apache.log4j.bundle-1.2.6_sap.1- core-nu SAP BusinessObjects tp.apache.log4j.classes-1.2.6_sap.1- core-nu SAP BusinessObjects tp.apache.log4j.nteventlogappender1.2.6_sap.1-core-32, SAP BusinessObjects tp.apache.log4j-1.2.6_sap.1-core-nu.

Sage 100: tp.apache.log4j.bundle-1.2.6_sap.1- core-nu, SAP BusinessObjects tp.apache.log4j.nteventlogappender1.2.6_sap.1-core-32, SAP BusinessObjects tp.apache.log4j-1.2.6_sap.1-core-nu, SAP BusinessObjects tp.datadirect.cpp-6.0-core-32.

I know SAP and Sage claim that their software is not vulnerable to the Apache Log4j RCE exploits but it looks like an external vulnerability scanner (Tenable Nessus) is able to detect these vulnerable versions from outside the network. Apache Log4j version 1.2.6 is deprecated. Can we remove Apache log4j 1.2.6 without breaking Sage 100 Standard and fixed assets?

Parents
  • 0

    Hello,

    Per SAP 

    "SAP BusinessObjects BI Platform is not impacted by CVE-2021-44228, CVE-2021- 45046 & CVE-2021-45105, CVE-2021-44832".

    Crystal Reports is an optional install with Sage 100, the install is not required to access or use Sage 100.

    Per SAP removing Apache log4j components will cause a re-install of Crystal Reports. (this has not been verified).  Awaiting an answer from the Fixed Assets team.

    John Nichols

    Sage

  • 0 in reply to jcnichols

    Thank you for the information. SAP is ignoring the fact that Log4j version 1 reached end of life on August 2015 and is no longer getting patched, they are still using it with Crystal Reports 2016. Log4j version 1 is plagued by the following vulnerabilities: CVE-2019-17571CVE-2020-9488CVE-2021-4104CVE-2022-23302CVE-2022-23305CVE-2022-23307. I will check and see if our client is utilizing Crystal Reports for Sage 100. Thank you for checking Fixed Assets. They are also using HRMS and the client states the following "I also use a SAGE HRMS for my payroll functions that I have custom crystal reports in".

Reply Children

*Community Hub is the new name for Sage City