Apache Log4j Zero Day vulnerability

In December 2021, a critical security issue was found in the java framework log4j. Due to that, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. More information about this zero day vulnerability can be found here 



This library is used in many software products worldwide.

The following software products are not affected:

  • Coresuite and its modules 
  • Coresuite Service
  • Coresuite Cube
  • SAP B1 Cloud Connector

The following products have been identified as using Log4J. Appropriate patching, or recommended temporary fixes, were applied.

  • SAP Field Service Management
    as FSM is a cloud based solution, no action required by the customers

The following products have been identified as using Log4j.

  • SAP Business One with the following components:
    • Workflow
    • License Server
    • Service Layer
    • Job Service
    • Extension Manager
    • Integration Framework (B1i)

SAP created a note with step-by-step procedures what to do to fix this vulnerability. You will find this note here: https://launchpad.support.sap.com/#/notes/3131789


Here you will also find the PDF with the instructions for download.

We strongly recommend following these procedures as described in the SAP note.


General recommendation

In your own apache / tomcat server environments, keep your logging services (log4j) updated to the latest version: https://logging.apache.org/log4j/2.x/download.html


Was this article helpful?
4 out of 4 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.