Sage was alerted (Friday 10th December 2021) to a critical remote code execution vulnerability within all Apache log4j versions 2.0-beta9 to 2.15
References
https://logging.apache.org/log4j/2.x/security.html
https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Log4j to execute arbitrary code (either as the user the server is running as, or root). These are the sorts of vulnerabilities that could be exploited automatically by worms.
The Sage 300 Development Team has investigated this, and the Apache Log4J 2 library is NOT used in the 2022, 2021, and 2020 versions of Sage 300.
While Sage 300 does use the Log4J 1 library (version 1.2.17) for our Global Search feature (used by SOLR 7.2.1), the Log4J 1 library is not affected by this vulnerability. We are upgrading the log4j component in our next product update (April) for all supported versions.
For customers using Sage 300 with Sage CRM, Sage CRM have produced patches which are currently being tested and we will advise results and availability as soon as possible. Additionally, customers using Sage Intelligence and Sage Intelligence Reporting Cloud, bundled reporting components of Sage 300 have also been investigated and cleared at this time.
Finally, The SAP team, Crystal Reports, has confirmed no impact on any of their BI components and that includes Crystal Reports The team at Aatrix, has reviewed their payroll efiling solution, and they have assured us that they have no impact as well.
References
https://access.redhat.com/security/cve/cve-2021-44228
https://solr.apache.org/news.html
https://launchpad.support.sap.com/#/notes/3129956
Please watch the following Sage City links for news:
Sage City page: https://www.sagecity.com/us/sage300_erp/f/sage-300-announcements