Keep an eye on Text4Shell
On October 13th 2022, CVE-2022-42889 was released, which is also known as “Text4Shell”. This is a vulnerability in the popular open-source Apache Commons Text library that can lead to remote code execution and some commotion in the security community because of its potential impact. The vulnerability was first announced on October 13th 2022 on the Apache dev list.
Since the vulnerability is in an open-source library, it has been compared to the Log4Shell vulnerability that impacted a.o. SAP Java-based systems and SAP SAAS solutions. For now, it seems that this new vulnerability has less impact since the use of the vulnerable component is less than Log4Shell. Yet, where applicable, we still recommend patching impacted software according to your normal vulnerability management process.
What we know for now, with regard to the impact on SAP systems, is that SAP has released several notes for specific SAP components, mainly saying that these components are not vulnerable. Yet it might take some time for SAP to go through its codebase and provide a full picture. With Log4Shell fresh in mind, it took SAP several weeks to provide this complete list.
Without being backed by SAP statements, it seems fair to assume that SAP ABAP stacks are not vulnerable as the affected component is not used in this stack. This lowers the risk for many SAP customers as we see in practice many SAP landscapes existing of SAP ABAP stacks. For other SAP components, much is unclear for now and we must wait for SAP to provide a full overview. What is known, is that the vulnerability is part of older Java Development Kits (JDK) and it is unsure how much of that is shipped in the specific SAP JDK. Some client components of SAP like the Developer/HANA Studio and MaxDB studio make use of the standard Java JDK and we would not be surprised if these are affected, but again, we need SAP to confirm this.
For customers that want to stay updated, we recommend keeping an eye on the list of affected SAP components via the SAP Security notes. If this vulnerability leads to out-of-band patches from SAP, we will update our customer base with an out-of-band Protect4S Vulnerability Management Support Package as well.