Skip links

3131047 – [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component

Description

Symptom

This security note will be the central document to consolidate information on the Remote Code Execution vulnerability associated with Apache Log4j 2 component (CVE-2021-44228). Please refer to the solution section for the list of SAP Notes/KBAs with workaround and Security Notes released by SAP addressing this vulnerability. This security note will be a living document that will be updated regularly.

Refer here for SAP’s Response to CVE-2021-44228 Apache Log4J 2 issue.

Other Terms

CVE-2021-44228, Remote Code Execution, Log4Shell, Central Security Note, Apache Log4j

Solution

SAP Security Notes

Note Component Description
3133772

IS-SE-CCO

Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout
3130578

BC-CP-CF-RT

Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Cloud Foundry
3132198

BC-VCM-LVM

Code Injection vulnerability in SAP Landscape Management
3131824

IS-PMED-HPH

Log4j Vulnerability in Connected Health Platform 2.0 – Fhirserver
3131258 BC-XS-RT  Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA
3132922 BC-NEO-SVC-IOT Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Internet of Things Edge Platform
3132744 BC-CP-XF-KYMA Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Kyma
3132964 KM-WPB-MGR Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Enable Now Manager
3132074 LOD-CRM-GW-LN Code Injection vulnerability in Cloud for Customer Lotus Notes PlugIn
3132177 CA-GTF-CSC-EDO-IN-DC Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Localization Hub, digital compliance service for India
3132909 IOT-EDG-OP Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services On Premise Edition
3132162 OPU-API-OD-DT Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP API Management (Tenant Cloning Tool)
3134531 BC-XS-ADM

Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit

(includes fix provided in 31328223131397)

3132515 IOT-EDG-OD Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services Cloud Edition
3131691 XX-PART-ADB-IFM Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0)
3134139 XX-PART-TRI-CLD-ECT Remote Code Execution vulnerability associated with Apache Log4j2 component used in SAP Enterprise Continuous Testing by Tricentis
3132058 IOT-BSV-HS-MS Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Cloud-to-Cloud Interoperability
3136988 IOT-BSV-HS-MS Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Reference Template for enabling ingestion and persistence of time series data in Azure
3136094 MFG-DM-EDGE Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Digital Manufacturing Cloud for Edge Computing
3131740 SBO-CRO-SEC Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Business One
3135581 BC-XI-CON-JWS

Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Java Web Service Adapter of SAP NetWeaver Process Integration

(includes fix provided in 313220431305213133005)

SAP Notes/KBAs with Workaround

Note Component Title
3130846 LOD-HCI-PI-OPS Detecting and remediating log4j CVE-2021-44228 vulnerabilities in SAP Cloud Integration NEO and CF applications
3131272 BC-SEC-ETD CVE-2021-44228 Apache Log4j vulnerability in SAP Enterprise Threat Detection and ETD Log Collector
3130698 BC-XS-RT Remediating log4j CVE-2021-44228 vulnerability in XS Advanced Platform and applications
3131492 CA-DI Remediating log4j CVE-2021-44228 vulnerability – SAP Data Intelligence on-premise
3130967 CEC-COM-CPS-COR Mitigating Commerce Platform’s Apache Log4j security vulnerabilities (CVE-2021-44228) for onPrem solution
3130982 CEC-COM-CPS Mitigating Commerce Platform’s Apache Log4j security vulnerabilities (CVE-2021-44228) on SAP Commerce Cloud in SAP Infrastructure
3130939 CEC-HCS-CCAZ-OPS Mitigating Commerce Platform’s Apache Log4j security vulnerabilities (CVE-2021-44228) on SAP Commerce Cloud in Public Cloud
3130652 KM-WPB-MGR SAP Enable Now / Apache Log4j2 issue
3131119 XX-PART-GKS Maintenance Note: SAP Omnichannel Point-of-Sale by GK – Security Note regarding the Java Logging Library Log4j 2
3131287 XX-PROJ-CDP-737 SAP DND ADO and Log4j
3130940 MOB-SYC-SAP-WM SAP Work Manger / SAP Inventory Manager – log4j vulnerability mitigation
3130476 BC-CP-CF Detecting and remediating log4j CVE-2021-44228 vulnerabilities in BTP Cloud Foundry applications
3131094 BC-SYB-PD Vulnerability in Apache Log4j : CVE-2021-44228
3131789 SBO-CRO-SEC Mitigate Log4j CVE-2021-44228 Vulnerability in SAP Business One
3131920 XX-PART-MFS-LOR Security vulnerability CVE-2021-44228 in Apache log4j library for SAP LoadRunner Professional by Micro Focus
3131935 XX-PART-MFS-LPR Security vulnerability CVE-2021-44228 in Apache log4j library for SAP LoadRunner Enterprise by Micro Focus
3132002 XX-PART-MFS-CLD-SRL Security vulnerability CVE-2021-44228 in Apache log4j library for SAP StormRunner Load by Micro Focus
3131967 XX-PART-MFS-QUC Security vulnerability CVE-2021-44228 in Apache log4j library for SAP Quality Center and SAP Octane by Micro Focus
3131911 XX-PART-MFS-UFT Security vulnerability CVE-2021-44228 in Apache log4j library for SAP UFT Developer LeanFT by Micro Focus

Available fix and Supported packages

N/A
 
Affected component

N/A

CVSS

CVSS v3.0 Base Score: 10,0 / 10 

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/3131047

TAGS

 CVE-2021-44228, Remote Code Execution, Log4Shell, Central Security Note, Apache Log4j