In December 2021, a critical security issue was found in the java framework log4j. Due to that, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. More information about this zero day vulnerability can be found here
This library is used in many software products worldwide.
The following software products are not affected:
- Coresuite and its modules
- Coresuite Service
- Coresuite Cube
- SAP B1 Cloud Connector
The following products have been identified as using Log4J. Appropriate patching, or recommended temporary fixes, were applied.
- SAP Field Service Management
as FSM is a cloud based solution, no action required by the customers
The following products have been identified as using Log4j.
- SAP Business One with the following components:
- License Server
- Service Layer
- Job Service
- Extension Manager
- Integration Framework (B1i)
SAP created a note with step-by-step procedures what to do to fix this vulnerability. You will find this note here: https://launchpad.support.sap.com/#/notes/3131789
We strongly recommend following these procedures as described in the SAP note.
In your own apache / tomcat server environments, keep your logging services (log4j) updated to the latest version: https://logging.apache.org/log4j/2.x/download.html