SAP Security Notes, December 2021
The central security note 3131047 consolidates Log4Shell patches for SAP products. Log4JShell is regarded as one of the most dangerous security vulnerabilities in decades. It can be exploited remotely with minimal complexity and without authentication to execute arbitrary code that could lead to the complete compromise of vulnerable applications.
Log4Shell impacts Log4J, a widely installed open-source Java logging utility, developed and maintained by the Apache Software Foundation. Log4J versions 2.14.1 and lower support remote message lookup substitution using the Java Naming and Directory Interface (JNDI) Application Programming Interface (API). Message lookup substitutions are used modify the Log4J configuration with dynamic values. The default setting for the JNDI property in Log4J enables values to be retrieved from remote sources.
A zero-day Remote Code Execution (RCE) vulnerability impacting the message lookup feature via JNDI in Log4J was discovered and reported by security researchers to the Apache Foundation on November 24, 2021. The vulnerability was patched by Apache on December 6 and published in the National Vulnerability Database on December 12 as CVE-2021-44228, also known as Log4Shell. A POC for the vulnerability was published on GitHub. CVE-2021-44228 has the maximum possible CVSS score of 10.0/10.0. The attack complexity is classified as low, requiring no privileges or user interaction.
Log4J is included in bundled in multiple SAP solutions. As of December 26, 2021, SAP had provided patches for products including SAP HANA XS Advanced (XSA) Runtime and XSA Cockpit, Process Orchestration, and Landscape Management. Patches were pending for multiple solutions including SAP Business One, Commerce, PowerDesigner, and Web IDE for HANA. Workarounds are provided for some of the unpatched solutions via Knowledge Based Articles (KBA).