Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
jgleichmann
Active Contributor

last updated: 2022-03-10 10:20 CET


Currently the security topic log4j (CVE-2021-44228 - CVSS score 10 of 10 and also others) is omnipresent. I want to show in this blog how you can check your HANA XSA systems and implement the mitigation. As well as to check if the settings are correct.

The log4j JNDI attack

Source: GovCERT.ch






The fix which should be provided by log4j version 2.15.0 is inclomplete in certain non default configurations - so a new CVE raised: CVE-2021-45046 (initial CVSS score 3,7 - now 9,0 / 10)
This one will be fixed with log4j 2.16.0
Details: lunasec







There is a new vulnerability called CVE-2021-45105 rated with a CVSS of 7,5.
This one will be fixed with log4j 2.17.0 which is now included in the latest XSA runtime version 1.0.142.







There is another new vulnerability called CVE-2021-44832 rated with a CVSS of 6,6.
This one will be fixed with log4j 2.17.1 which is now included in the latest patch XSA runtime version 1.0.143 and XSA Cockpit 1.1.26.

Overview













































CVE effect
fixed by log4j version CVSS score
mitigation via WA available
Release date
CVE-2021-44228 execute arbitrary code loaded from LDAP servers 2.16.0 10 X 20211126
CVE-2021-45046 remote code execution in some environments + local code execution 2.16.0 9 X 20211214
CVE-2021-45105 stack overflow / DOS - denial of service 2.17.0 7,5 X 20211216
CVE-2021-44832 remote code execution (RCE) attack 2.17.1 6,6 - 20211211

To query the CVE database for all log4j vulnerabilities use this link for searching.

 

Overall currently affected products by SAP can be identified by using this document. It will be updated constantly. Last update is from 2022/03/09 15:55 EST (thanks to Kuto Baran for the hint)

There is a new central note for an overview (thanks to Matthias Sander for the hint):

3131047 - [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated ...






Hint: Mark the note as favorite (star in the upper right corner) to get notified for any update on it.

To mention some popular once:

  • Cloud connector is not affected (Note: 3130868)

  • BusinessObjects is not affected (Note: 3129956) - This applies to all the SAP BI products listed in the Environment section of the above mentioned document

  • SAP NetWeaver Application Server Java is not impacted by the CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105. This applies to all the AS Java Core Components. Applications running on top of it using the libs can be affected! (Note: 3129883)

  • SAP NetWeaver Process Integration is affected (Note: 3131436/ 3130521)

  • BTP Cloud Foundry applications can be affected (Note: 3130476 / 3131208)


 




Mitigation CVE-2021-44228


Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.

Log4j 2.x mitigation: Implement one of the mitigation techniques below.

  • Java 8 (or later) users should upgrade to release 2.16.0.

  • Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).

  • Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class


Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.

The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.

 

Source: Apache




Log4jscanner


There is a commandline tool (build via Go package) for scanning and rewriting / actively remove the vulnerable class from detected JARs in-place. You can use the git repository for further details.

 




XS Advanced applications


3131258 - [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 compon...


As we can see from the note the following HANA systems are affected:




  • XSA

  • HANA Cockpit (which also is running as XSA application) - see also note 3131397


XSA runtime affected: Version <= 1.0.140 (currently - 2021/12/21 - there is a now a new version 1.0.141 which includes a fix 3130864 - EXTENDED APPLICATION SERVICES 1 Release Collection 1.0.141! It includes log4j version 2.16.0) [thanks to Matthias Sander and sander.meijer3 ]

Determine XSA Runtime version


Login as sidadm:
xs version

Bild

Check if you can implement the mitigation parameters with version >= 2.10

 

 

Determine log4j version


find /hana/shared/<SID>/xs/uaaserver/tomcat -name "*log4j*"

Bild

 

































XSA Advanced Runtime log4j version affected by
highest CVSS rating
<1.0.140 <2.15 CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 10
1.0.141 2.16.0 CVE-2021-45105 7,5
1.0.142 2.17.0 CVE-2021-44832 6,6
1.0.143 2.17.1 - -

Download patch search:

https://launchpad.support.sap.com/#/softwarecenter/template/products/%20_APP=00200682500000001943&_E...

 

There is a patch for HANA Cockpit SP14 Patch 6 from RTC 2022/03/02 which includes the XS Advanced Runtime 1.0.143. (Summary SP14)


The on-premise stack contains:
LCM for Cockpit - 2.5.61
HDB - 2.00.059
SAP_EXTENDED_APP_SERVICES - 1.0.143
XSAC_HRTT - 2.14.220501
XSAC_COCKPIT- 2.14.6
XSAC_PORTAL_SERV - 2.006.1
XSAC_XSA_COCKPIT - 1.1.26


Thanks to joerg.latza for posting the details.

 

Determine XSA Cockpit version


xs spaces
xs login -s <SPACE>
xs lc


 







































XSA COCKPIT version
log4j version affected by
highest CVSS rating
<1.1.23 <2.15.0 CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 10
1.1.23 2.15.0 CVE-2021-45046, CVE-2021-45105 9
1.1.24 2.16.0 CVE-2021-45105 7,5
1.1.25 2.17.0 CVE-2021-44832 6,6
1.1.26 2.17.1 - -

Download patch search:

https://launchpad.support.sap.com/#/softwarecenter/search/XSA%2520COCKPIT%25201








Attention

From the note: On SAP HANA systems with enabled System Replication (HSR), execute step 1 on the primary and all secondary systems. Executing steps 2-4 is required on the primary system, only.

 






Upgade/Update issue
If you installed HANA cockpit as well, it is not recommended to upgrade XSA Cockpit separately.
Source: 3134932 - XSA Cockpit update fails with error "Selected component SAP HANA Cockpit Stack is not comp...
Credits to Matthias Sander for the hint.

Current information status is that all java version are affected. Also with deactivated class com.sun.jndi.ldap.object.trustURLCodebase .
>> It was initially reported by Lunasec that servers running on JDKs versions higher than 6u211, 7u201, 8u191 are not affected by the LDAP RCE attack vector, as the com.sun.jndi.ldap.object.trustURLCodebase is disabled by default, hence JNDI cannot load a remote codebase using LDAP. However, further analysis by the community has revealed that all JDK versions are vulnerable to this kind of attack. Alvaro Muñoz commented on Twitter the deserialization attacks are still possible with the latest JDK: "The ldap server will return a serialized object which will get deserialized. RCE depends on gadget availability in the classpath though" <<

Source: https://www.infoq.com/news/2021/12/log4j-zero-day-vulnerability/

Check the used java version:
cd /hana/shared/<SID>/xs/sapjvm_*/bin
./java -version


 




 

Implementation of the parameters


login as sidadm
cdcoc
cp -p xsuaaserver.ini xsuaaserver.ini.bkp
cat xsuaaserver.ini
#if only the section [configuration] is available (default):
echo "UAA.Jvm.AdditionalParameters = -Dlog4j2.formatMsgNoLookups=true" >> xsuaaserver.ini
cat xsuaaserver.ini
#if not, insert the line via vi
vi xsuaaserver.ini

 

check your XSA before you apply changes:
XSA diagnose
XSA backup-ssfs
XSA backup-fss

To find vulnerable XS advanced applications with respect to CVE-2021-44228:
xs-admin-login
xs find-artifacts -n "log4j-core*"

mitigations - note that due other CVE's than CVE-2021-44228 that an update is strongly recommended:

  1. set workaround environment parameter LOG4J_FORMAT_MSG_NO_LOOKUPS to true

  2. remove the JndiLookup class from the classpath


xs-admin-login
xs urevg --add LOG4J_FORMAT_MSG_NO_LOOKUPS true
cdxs
zip -q -d ./uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
zip -q -d ./uaaserver/tomcat/webapps/uaa-security-oidc/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

 



XSA restart







!!!This will restart your XSA services which means your applications will not be available for 15-30min!!!

 

check xsuaaserver.out for the correct variables / parameters:
cdtrace
grep -i log4j xsuaaserver.out


 

as mentioned by sathiyaraj.jagadesh2 you can also check the parameters via revg:
xs revg | grep -i log4j


 

Check after implementation
XSA diagnose


Check the output in the trace directory: /hana/shared/<SID>/<hostname>/trace/xsa_diagnose_results.txt




 

As soon as there are updates on this topic I will update the blog.

I would wish SAP could list the components and versions of each patch. Having this information would save any customer a lot of time trying to figure out the right patch levels. Currently, these details are not published in any note or document. Nowadays it should not be impossible to provide such details.

 

SAP Security Patch Day - December 2021

https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021

https://securitybridge.com/sap-patchday/sap-security-patch-day-december-2021/

 

Further sources:

https://logging.apache.org/log4j/2.x/security.html

https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

https://www.infoq.com/news/2021/12/log4j-zero-day-vulnerability/

https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025...

https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/

https://github.com/google/log4jscanner
43 Comments
Labels in this area