According to Elastic search website there is some mitigation available for elastic search

discuss.elastic.co/.../291476

Yes, i have added -Dlog4j2.formatMsgNoLookups=true in the  JVM_OPTIONS file for Elastic Search and restart the services. But we have alot of different version of X3 and elastic search out there, For the old bundled elastic search i have used the managermode of the service and added the parameters.

how exactly did you do this? i need to also do the same thing. Did you figuire out how to fix it in the SAP business objects? our SOC found that was installed by sage x3 "C:\program files (x86)\sap businessobjects\sap businessobjects enterprise xi 4.0\java\lib\external\axis2\1.6.2\log4j-1.2.15.jar"

how exactly did you do this? i need to also do the same thing. Did you figuire out how to fix it in the SAP business objects? our SOC found that was installed by sage x3 "C:\program files (x86)\sap businessobjects\sap businessobjects enterprise xi 4.0\java\lib\external\axis2\1.6.2\log4j-1.2.15.jar"

Is the sap  business objects you mention a part of the printserver installation or is it development tools for crystal reports?

im not sure. i think its the crystal reports thats on the erp web server. 

it appears to be deeply integrated into crystal reports generation. 

it seems that log4j version 1 is not impacted