Java Web Service Adapter of SAP NetWeaver Process Integration (PI) uses a version of Open Source component Apache Log4j which is vulnerable to remote code execution (CVE-2021-44228).
Reason and Prerequisites
You are only affected by this vulnerability if you are running Java Web Service Adapter of Process Integration / Process Orchestration Release 7.50 SP20, SP21, or SP22. Or in case you have installed partner code or use own implementations, making use of Log4j. See KBA 3129883 how to determine such usage. For a successful exploit, an attacker requires credentials to the Web Service endpoints.
Please assess the workaround applicability for your SAP landscape prior to implementation. Note that this workaround is a temporary fix but not a permanent solution. SAP strongly recommends you to apply the corrections outlined in the security note, which can be done in lieu of the workaround or after the workaround is implemented.
The issue can be (partially) mitigated by setting Java system property “log4j2.formatMsgNoLookups=true” as described in above KBA 3129883. Further details are explained on Apache Log4j Security Vulnerabilities.
In case you are not using Java Web Service Adapter, stop and disable the application to be safe. No restart is needed!
- Logon to NWA via https://host:port/nwa
- Navigate to Operations –> Start & Stop –> Java Applications. Filter for “com.sap.aii.adapter.ws.app” and stop this app. Press home.
- Navigate to Configuration –> Infrastructure –> Java System Properties. Press “Show Advanced Properties”. Select the Filters tab. To add a local filter, press Add and enter Action=disable, Vendor Mask=sap.com Component=application, Component Name Mask=com.sap.aii.adapter.ws.app. Press set and save.
- Verify that https://host:port/WSAdapter returns “Error: Application is stopped.”
- Delete the filter after the system was patched.
In case you are using Java Web Service Adapter, proceed as follows (it is an online deployment). Apply this workaround in emergency cases only.
- Download the referenced Patch from SAP Service Marketplace (SAPXIAF.SCA).
- Extract the “com.sap.aii.adapter.ws.cxf.lib.sda” from it and place it in the instance directory, for example Linux:/usr/sap/<SID> or Windows: <drive>:\usr\sap\<SID>
- Open command shell on the server and logon with telnet localhost 5<xx>08. Enter commands
- add deploy
- Linux: deploy /usr/sap/<SID>/com.sap.aii.adapter.ws.cxf.lib.sda core_components=online version_rule=all
- Windows: deploy \usr\sap\<SID>\com.sap.aii.adapter.ws.cxf.lib.sda core_components=online version_rule=all
- As telnet is currently open, you can immediately check the used versions with:
- llr -all -f org/apache/log4j/Logger.class
- llr -all -f org/apache/logging/log4j/core/Logger.class
- llr -all -f org/apache/logging/log4j/Logger.class
- llr -all -f org/apache/naming/factory/BeanFactory.class
- Exit shell
- Go to MMC and restart the single server nodes / instances.
Deploy the Support Packages and Patches referenced by this SAP Security Note. With this Patch version 2.15.0 of Apache Log4j is deployed to your system and remote code execution is prevented. Note: The update does not protect against the denial of service (DOS) attack reported in CVE-2021-45046 (rated as “low”). This low vulnerability is fixed with SAP Security Note 3132204.
Actual information about this topic and further patch updates are available in SAP Note 3131436.
Available fix and Supported packages
XI ADAPTER FRAMEWORK 7.50|SP020|000038|
XI ADAPTER FRAMEWORK 7.50|SP021|000028|
XI ADAPTER FRAMEWORK 7.50|SP022|000010|
XI ADAPTER FRAMEWORK 7.50|SP023|000000|
XI ADAPTER FRAMEWORK 7.50|SP024|000000|
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.