Sage was alerted (Friday 10th December 2021) to a critical remote code execution vulnerability within all Apache log4j versions 2.0-beta9 to 2.15
References
https://logging.apache.org/log4j/2.x/security.html
https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Log4j to execute arbitrary code (either as the user the server is running as, or root).
The Sage Fixed Assets Development Team has investigated this, and the Apache Log4J 2 library is NOT used in the Sage Fixed Assets applications.
There is direct integration with the following products, if you own both products and choose to use the integration:
- Sage 50 US
- Sage 100
- Sage 300
- Sage 500
- Sage Intacct
- CCH ProSystem fx Tax
- Abila MIP Fund Accounting
If you have a Sage Fixed Asset solution integrated with any of the Sage Solutions listed above please check with the product specific support site for further potential vulnerabilities related to Apache Log4j 2.
Finally, The SAP team, Crystal Reports, has confirmed no impact on any of their BI components, including Crystal Reports.