Skip links

3130521 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration

Description

Symptom

UPDATE 11th January 2022:The SAP security note 3135581 includes the corrections provided in this security note as well as 3132204 and 3133005.

Java Web Service Adapter of SAP NetWeaver Process Integration (PI) uses a version of Open Source component Apache Log4j which is vulnerable to remote code execution (CVE-2021-44228).

Other Terms

Command Injection, OS command injection, Process Orchestration, Log4j2, Apache Log4j Security VulnerabilitiesCVE-2021-44228

Reason and Prerequisites

You are only affected by this vulnerability if you are running Java Web Service Adapter of Process Integration / Process Orchestration Release 7.50 SP20, SP21, or SP22. Or in case you have installed partner code or use own implementations, making use of Log4j. See KBA 3129883 how to determine such usage. For a successful exploit, an attacker requires credentials to the Web Service endpoints.

Solution

Disclaimer

Please assess the workaround applicability for your SAP landscape prior to implementation. Note that this workaround is a temporary fix but not a permanent solution. SAP strongly recommends you to apply the corrections outlined in the security note, which can be done in lieu of the workaround or after the workaround is implemented.

Workaround

The issue can be (partially) mitigated by setting Java system property “log4j2.formatMsgNoLookups=true” as described in above KBA 3129883. Further details are explained on Apache Log4j Security Vulnerabilities.

In case you are not using Java Web Service Adapter, stop and disable the application to be safe. No restart is needed!

  1. Logon to NWA via https://host:port/nwa
  2. Navigate to Operations –> Start & Stop –> Java Applications. Filter for “com.sap.aii.adapter.ws.app” and stop this app. Press home.
  3. Navigate to Configuration –> Infrastructure –> Java System Properties. Press “Show Advanced Properties”. Select the Filters tab. To add a local filter, press Add and enter Action=disable, Vendor Mask=sap.com Component=application, Component Name Mask=com.sap.aii.adapter.ws.app. Press set and save.
  4. Verify that https://host:port/WSAdapter returns “Error: Application is stopped.”
  5. Delete the filter after the system was patched.

In case you are using Java Web Service Adapter, proceed as follows (it is an online deployment). Apply this workaround in emergency cases only.

  1. Download the referenced Patch from SAP Service Marketplace (SAPXIAF.SCA).
  2. Extract the “com.sap.aii.adapter.ws.cxf.lib.sda” from it and place it in the instance directory, for example Linux:/usr/sap/<SID> or Windows: <drive>:\usr\sap\<SID>
  3. Open command shell on the server and logon with telnet localhost 5<xx>08. Enter commands
    • add deploy
    • Linux: deploy /usr/sap/<SID>/com.sap.aii.adapter.ws.cxf.lib.sda core_components=online version_rule=all 
    • Windows: deploy \usr\sap\<SID>\com.sap.aii.adapter.ws.cxf.lib.sda core_components=online version_rule=all
  4. As telnet is currently open, you can immediately check the used versions with:
    • llr -all -f org/apache/log4j/Logger.class
    • llr -all -f org/apache/logging/log4j/core/Logger.class
    • llr -all -f org/apache/logging/log4j/Logger.class
    • llr -all -f org/apache/naming/factory/BeanFactory.class
  5. Exit shell
  6. Go to MMC and restart the single server nodes / instances.

Solution

Deploy the Support Packages and Patches referenced by this SAP Security Note. With this Patch version 2.15.0 of Apache Log4j is deployed to your system and remote code execution is prevented. Note: The update does not protect against the denial of service (DOS) attack reported in CVE-2021-45046 (rated as “low”). This low vulnerability is fixed with SAP Security Note 3132204.

FAQ

Actual information about this topic and further patch updates are available in SAP Note 3131436.

 
 
 

Available fix and Supported packages

SAP_XIAF|7.50|7.50
 
Affected component

XI ADAPTER FRAMEWORK 7.50|SP020|000038|

XI ADAPTER FRAMEWORK 7.50|SP021|000028|

XI ADAPTER FRAMEWORK 7.50|SP022|000010|

XI ADAPTER FRAMEWORK 7.50|SP023|000000|

XI ADAPTER FRAMEWORK 7.50|SP024|000000|

CVSS

CVSS v3.0 Base Score: 9,9/ 10 

Exploit


Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/3130521

TAGS

 

Command Injection, OS command injection, Process Orchestration, Log4j2, Apache Log4j Security VulnerabilitiesCVE-2021-44228 

RedRays SAP Security Audit

RedRays SAP Security Audit

How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer

Initiating SAP Penetration Testing

►   Pentest, short for penetration testing, refers to a set of processes that simulate an attacker’s actions to identify security vulnerabilities. Companies

SAP Security Patch Day RedRays

May 2024 SAP Security Patch Day

Vulnerability: Multiple vulnerabilities in SAP CX Commerce SAP Component: CEC-SCC-PLA-PL CVE ID: CVE-2019-17495 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Category: Program error