Is SAP affected?
Update (Dec 21, 2021): SAP worked hard last week on giving more clarity on affected components. It is important to use the central note SAP has released on the topic as well as the statement for customers and assess your landscape for possible vulnerable components. Keep in mind that you cannot scan for all log4j vulnerabilities in an automated way and that SAP still has not a 100% complete picture of affected components and patches available as this is still an evolving topic.
Update (Dec 13, 2021): SAP released ~20 notes on log4j, indicating most software is not impacted, apart from:
- XS Advanced Runtime version 1.0.140 or lower (SAP note 3130698)
- SAP Customer Checkout PoS and SAP Customer Checkout manager – in versions 2.0 FP09, 2.0 FP10, 2.0 FP11 PL06 (or lower) and 2.0 FP12 PL04 (or lower). (SAP note 3130499)
Big shout out to all heroes working this weekend in software development, bug fixing, certs, socs, blue teams and alike on the recently disclosed vulnerability in Apache log4j. This open-source component is used for logging purposes and included in many commercial software products like Vmware, Twitter, Docker, Minecraft and many many others.
But how about SAP products? Should customers take action?
For now, the impact of this vulnerability seems limited when it comes to SAP products. A search on the marketplace on the cve-name shows a couple of notes SAP has released already on the topic. It is our expectation that in the coming days these will be extended for other products but for now, it seems that at least the following products are not affected:
Our own research on SAP business Objects showed that the log4j jar file is present but not being used and is not exploitable in the default setup.
Further research is needed as this vulnerability is rather fresh and we expect SAP to keep updating customers on this topic. Luckily for now it seems the impact is low and once again underlining the attention we should give to the re-use of open-source software components and the need for proper vulnerability management processes.
For SAP customers Protect4S can support the vulnerability management process and lower risk in your business-critical SAP systems.
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
Try out Protect4S for 1 month for free or request a demo!