UPDATE 11th January 2022:The SAP security note 3135581 includes the corrections provided in this security note as well as 3132204 and 3133005.

Java Web Service Adapter of SAP NetWeaver Process Integration (PI) uses a version of Open Source component Apache Log4j which is vulnerable to remote code execution (CVE-2021-44228).

Command Injection, OS command injection, Process Orchestration, Log4j2, Apache Log4j Security Vulnerabilities, CVE-2021-44228

You are only affected by this vulnerability if you are running Java Web Service Adapter of Process Integration / Process Orchestration Release 7.50 SP20, SP21, or SP22. Or in case you have installed partner code or use own implementations, making use of Log4j. See KBA 3129883 how to determine such usage. For a successful exploit, an attacker requires credentials to the Web Service endpoints.

Disclaimer

Please assess the workaround applicability for your SAP landscape prior to implementation. Note that this workaround is a temporary fix but not a permanent solution. SAP strongly recommends you to apply the corrections outlined in the security note, which can be done in lieu of the workaround or after the workaround is implemented.

Workaround

The issue can be (partially) mitigated by setting Java system property “log4j2.formatMsgNoLookups=true” as described in above KBA 3129883. Further details are explained on Apache Log4j Security Vulnerabilities.

In case you are not using Java Web Service Adapter, stop and disable the application to be safe. No restart is needed!

1. Logon to NWA via https://host:port/nwa
2. Navigate to Operations –> Start & Stop –> Java Applications. Filter for “com.sap.aii.adapter.ws.app” and stop this app. Press home.
3. Navigate to Configuration –> Infrastructure –> Java System Properties. Press “Show Advanced Properties”. Select the Filters tab. To add a local filter, press Add and enter Action=disable, Vendor Mask=sap.com Component=application, Component Name Mask=com.sap.aii.adapter.ws.app. Press set and save.
4. Verify that https://host:port/WSAdapter returns “Error: Application is stopped.”
5. Delete the filter after the system was patched.

In case you are using Java Web Service Adapter, proceed as follows (it is an online deployment). Apply this workaround in emergency cases only.

1. Download the referenced Patch from SAP Service Marketplace (SAPXIAF.SCA).
2. Extract the “com.sap.aii.adapter.ws.cxf.lib.sda” from it and place it in the instance directory, for example Linux:/usr/sap/<SID> or Windows: <drive>:\usr\sap\<SID>
3. Open command shell on the server and logon with telnet localhost 5<xx>08. Enter commands
   
   • add deploy
   • Linux: deploy /usr/sap/<SID>/com.sap.aii.adapter.ws.cxf.lib.sda core_components=online version_rule=all 
   • Windows: deploy \usr\sap\<SID>\com.sap.aii.adapter.ws.cxf.lib.sda core_components=online version_rule=all
4. As telnet is currently open, you can immediately check the used versions with:
   
   • llr -all -f org/apache/log4j/Logger.class
   • llr -all -f org/apache/logging/log4j/core/Logger.class
   • llr -all -f org/apache/logging/log4j/Logger.class
   • llr -all -f org/apache/naming/factory/BeanFactory.class
5. Exit shell
6. Go to MMC and restart the single server nodes / instances.

Solution

Deploy the Support Packages and Patches referenced by this SAP Security Note. With this Patch version 2.15.0 of Apache Log4j is deployed to your system and remote code execution is prevented. Note: The update does not protect against the denial of service (DOS) attack reported in CVE-2021-45046 (rated as “low”). This low vulnerability is fixed with SAP Security Note 3132204.

FAQ

Actual information about this topic and further patch updates are available in SAP Note 3131436.