Description
Symptom
This security note will be the central document to consolidate information on the Remote Code Execution vulnerability associated with Apache Log4j 2 component (CVE-2021-44228). Please refer to the solution section for the list of SAP Notes/KBAs with workaround and Security Notes released by SAP addressing this vulnerability. This security note will be a living document that will be updated regularly.
Refer here for SAP’s Response to CVE-2021-44228 Apache Log4J 2 issue.
Other Terms
CVE-2021-44228, Remote Code Execution, Log4Shell, Central Security Note, Apache Log4j
Solution
SAP Security Notes
| Note | Component | Description |
| 3133772 |
IS-SE-CCO |
Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout |
| 3130578 |
BC-CP-CF-RT |
Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Cloud Foundry |
| 3132198 |
BC-VCM-LVM |
Code Injection vulnerability in SAP Landscape Management |
| 3131824 |
IS-PMED-HPH |
Log4j Vulnerability in Connected Health Platform 2.0 – Fhirserver |
| 3131258 | BC-XS-RT | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA |
| 3132922 | BC-NEO-SVC-IOT | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Internet of Things Edge Platform |
| 3132744 | BC-CP-XF-KYMA | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Kyma |
| 3132964 | KM-WPB-MGR | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Enable Now Manager |
| 3132074 | LOD-CRM-GW-LN | Code Injection vulnerability in Cloud for Customer Lotus Notes PlugIn |
| 3132177 | CA-GTF-CSC-EDO-IN-DC | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Localization Hub, digital compliance service for India |
| 3132909 | IOT-EDG-OP | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services On Premise Edition |
| 3132162 | OPU-API-OD-DT | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP API Management (Tenant Cloning Tool) |
| 3134531 | BC-XS-ADM |
Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit |
| 3132515 | IOT-EDG-OD | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services Cloud Edition |
| 3131691 | XX-PART-ADB-IFM | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0) |
| 3134139 | XX-PART-TRI-CLD-ECT | Remote Code Execution vulnerability associated with Apache Log4j2 component used in SAP Enterprise Continuous Testing by Tricentis |
| 3132058 | IOT-BSV-HS-MS | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Cloud-to-Cloud Interoperability |
| 3136988 | IOT-BSV-HS-MS | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Reference Template for enabling ingestion and persistence of time series data in Azure |
| 3136094 | MFG-DM-EDGE | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Digital Manufacturing Cloud for Edge Computing |
| 3131740 | SBO-CRO-SEC | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Business One |
| 3135581 | BC-XI-CON-JWS |
Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration |
SAP Notes/KBAs with Workaround
| Note | Component | Title |
| 3130846 | LOD-HCI-PI-OPS | Detecting and remediating log4j CVE-2021-44228 vulnerabilities in SAP Cloud Integration NEO and CF applications |
| 3131272 | BC-SEC-ETD | CVE-2021-44228 Apache Log4j vulnerability in SAP Enterprise Threat Detection and ETD Log Collector |
| 3130698 | BC-XS-RT | Remediating log4j CVE-2021-44228 vulnerability in XS Advanced Platform and applications |
| 3131492 | CA-DI | Remediating log4j CVE-2021-44228 vulnerability – SAP Data Intelligence on-premise |
| 3130967 | CEC-COM-CPS-COR | Mitigating Commerce Platform’s Apache Log4j security vulnerabilities (CVE-2021-44228) for onPrem solution |
| 3130982 | CEC-COM-CPS | Mitigating Commerce Platform’s Apache Log4j security vulnerabilities (CVE-2021-44228) on SAP Commerce Cloud in SAP Infrastructure |
| 3130939 | CEC-HCS-CCAZ-OPS | Mitigating Commerce Platform’s Apache Log4j security vulnerabilities (CVE-2021-44228) on SAP Commerce Cloud in Public Cloud |
| 3130652 | KM-WPB-MGR | SAP Enable Now / Apache Log4j2 issue |
| 3131119 | XX-PART-GKS | Maintenance Note: SAP Omnichannel Point-of-Sale by GK – Security Note regarding the Java Logging Library Log4j 2 |
| 3131287 | XX-PROJ-CDP-737 | SAP DND ADO and Log4j |
| 3130940 | MOB-SYC-SAP-WM | SAP Work Manger / SAP Inventory Manager – log4j vulnerability mitigation |
| 3130476 | BC-CP-CF | Detecting and remediating log4j CVE-2021-44228 vulnerabilities in BTP Cloud Foundry applications |
| 3131094 | BC-SYB-PD | Vulnerability in Apache Log4j : CVE-2021-44228 |
| 3131789 | SBO-CRO-SEC | Mitigate Log4j CVE-2021-44228 Vulnerability in SAP Business One |
| 3131920 | XX-PART-MFS-LOR | Security vulnerability CVE-2021-44228 in Apache log4j library for SAP LoadRunner Professional by Micro Focus |
| 3131935 | XX-PART-MFS-LPR | Security vulnerability CVE-2021-44228 in Apache log4j library for SAP LoadRunner Enterprise by Micro Focus |
| 3132002 | XX-PART-MFS-CLD-SRL | Security vulnerability CVE-2021-44228 in Apache log4j library for SAP StormRunner Load by Micro Focus |
| 3131967 | XX-PART-MFS-QUC | Security vulnerability CVE-2021-44228 in Apache log4j library for SAP Quality Center and SAP Octane by Micro Focus |
| 3131911 | XX-PART-MFS-UFT | Security vulnerability CVE-2021-44228 in Apache log4j library for SAP UFT Developer LeanFT by Micro Focus |
Available fix and Supported packages
N/A
Affected component
N/A
CVSS
CVSS v3.0 Base Score: 10,0 / 10
Exploit
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/3131047
TAGS
