Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

3130521 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration



UPDATE 11th January 2022:The SAP security note 3135581 includes the corrections provided in this security note as well as 3132204 and 3133005.

Java Web Service Adapter of SAP NetWeaver Process Integration (PI) uses a version of Open Source component Apache Log4j which is vulnerable to remote code execution (CVE-2021-44228).

Other Terms

Command Injection, OS command injection, Process Orchestration, Log4j2, Apache Log4j Security VulnerabilitiesCVE-2021-44228

Reason and Prerequisites

You are only affected by this vulnerability if you are running Java Web Service Adapter of Process Integration / Process Orchestration Release 7.50 SP20, SP21, or SP22. Or in case you have installed partner code or use own implementations, making use of Log4j. See KBA 3129883 how to determine such usage. For a successful exploit, an attacker requires credentials to the Web Service endpoints.



Please assess the workaround applicability for your SAP landscape prior to implementation. Note that this workaround is a temporary fix but not a permanent solution. SAP strongly recommends you to apply the corrections outlined in the security note, which can be done in lieu of the workaround or after the workaround is implemented.


The issue can be (partially) mitigated by setting Java system property “log4j2.formatMsgNoLookups=true” as described in above KBA 3129883. Further details are explained on Apache Log4j Security Vulnerabilities.

In case you are not using Java Web Service Adapter, stop and disable the application to be safe. No restart is needed!

  1. Logon to NWA via https://host:port/nwa
  2. Navigate to Operations –> Start & Stop –> Java Applications. Filter for “” and stop this app. Press home.
  3. Navigate to Configuration –> Infrastructure –> Java System Properties. Press “Show Advanced Properties”. Select the Filters tab. To add a local filter, press Add and enter Action=disable, Vendor Component=application, Component Name Press set and save.
  4. Verify that https://host:port/WSAdapter returns “Error: Application is stopped.”
  5. Delete the filter after the system was patched.

In case you are using Java Web Service Adapter, proceed as follows (it is an online deployment). Apply this workaround in emergency cases only.

  1. Download the referenced Patch from SAP Service Marketplace (SAPXIAF.SCA).
  2. Extract the “” from it and place it in the instance directory, for example Linux:/usr/sap/<SID> or Windows: <drive>:\usr\sap\<SID>
  3. Open command shell on the server and logon with telnet localhost 5<xx>08. Enter commands
    • add deploy
    • Linux: deploy /usr/sap/<SID>/ core_components=online version_rule=all 
    • Windows: deploy \usr\sap\<SID>\ core_components=online version_rule=all
  4. As telnet is currently open, you can immediately check the used versions with:
    • llr -all -f org/apache/log4j/Logger.class
    • llr -all -f org/apache/logging/log4j/core/Logger.class
    • llr -all -f org/apache/logging/log4j/Logger.class
    • llr -all -f org/apache/naming/factory/BeanFactory.class
  5. Exit shell
  6. Go to MMC and restart the single server nodes / instances.


Deploy the Support Packages and Patches referenced by this SAP Security Note. With this Patch version 2.15.0 of Apache Log4j is deployed to your system and remote code execution is prevented. Note: The update does not protect against the denial of service (DOS) attack reported in CVE-2021-45046 (rated as “low”). This low vulnerability is fixed with SAP Security Note 3132204.


Actual information about this topic and further patch updates are available in SAP Note 3131436.


Available fix and Supported packages

Affected component







CVSS v3.0 Base Score: 9,9/ 10 


Exploit is not available.
For detailed information please contact the mail [email protected].




Command Injection, OS command injection, Process Orchestration, Log4j2, Apache Log4j Security VulnerabilitiesCVE-2021-44228 

RedRays SAP Security Audit

RedRays SAP Security Audit

More to explorer

SAP Security For All

RedRays Security Platform for Penetration testers and Bug hunters

The product package is specifically created for cyber security experts who have encountered SAP while participating in bug bounty programs.

RedRays Security Platform for SAP Consultants

The product package is designed for SAP consultants conducting security assessments of SAP ERP systems. We provide essential tools and resources to help professionals in this field conduct their work effectively.

RedRays Security Platform for Enterprises

The product package is specifically optimized to cater to the needs of both small/medium and large companies who are seeking to streamline the process of organizing a comprehensive security system for ERP systems.