Skip to Content
Technical Articles
Author's profile photo Jens Gleichmann

HANA XSA log4j CVE-2021-44228

last updated: 2022-01-25 08:00 CET

Currently the security topic log4j (CVE-2021-44228 – CVSS score 10 of 10 and also others) is omnipresent. I want to show in this blog how you can check your HANA XSA systems and implement the mitigation. As well as to check if the settings are correct.

The log4j JNDI attack

Source: GovCERT.ch

The fix which should be provided by log4j version 2.15.0 is inclomplete in certain non default configurations – so a new CVE raised: CVE-2021-45046 (initial CVSS score 3,7 – now 9,0 / 10)
This one will be fixed with log4j 2.16.0
Details: lunasec
There is a new vulnerability called CVE-2021-45105 rated with a CVSS of 7,5.
This one will be fixed with log4j 2.17.0 which is now included in the latest XSA runtime version 1.0.142.
There is another new vulnerability called CVE-2021-44832 rated with a CVSS of 6,6.
This one will be fixed with log4j 2.17.1 which is currently not included in any patch. (status 2022/01/01 13:45 CET)

Overview

CVE effect
fixed by log4j version CVSS score
mitigation via WA available
Release date
CVE-2021-44228 execute arbitrary code loaded from LDAP servers 2.16.0 10 X 20211126
CVE-2021-45046 remote code execution in some environments + local code execution 2.16.0 9 X 20211214
CVE-2021-45105 stack overflow / DOS – denial of service 2.17.0 7,5 X 20211216
CVE-2021-44832 remote code execution (RCE) attack 2.17.1 6,6 20211211

To query the CVE database for all log4j vulnerabilities use this link for searching.

 

Overall currently affected products by SAP can be identified by using this document. It will be updated constantly. Last update is from 2022/01/21 13:30 EST (thanks to Kuto Baran for the hint)

There is a new central note for an overview (thanks to Matthias Sander for the hint):

3131047 – [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component

Hint: Mark the note as favorite (star in the upper right corner) to get notified for any update on it.

To mention some popular once:

  • Cloud connector is not affected (Note: 3130868)
  • BusinessObjects is not affected (Note: 3129956) – This applies to all the SAP BI products listed in the Environment section of the above mentioned document
  • SAP NetWeaver Application Server Java is not impacted by the CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105. This applies to all the AS Java Core Components. Applications running on top of it using the libs can be affected! (Note: 3129883)
  • SAP NetWeaver Process Integration is affected (Note: 3131436/ 3130521)
  • BTP Cloud Foundry applications can be affected (Note: 3130476 / 3131208)

 


Mitigation CVE-2021-44228

Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.

Log4j 2.x mitigation: Implement one of the mitigation techniques below.

  • Java 8 (or later) users should upgrade to release 2.16.0.
  • Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
  • Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.

The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf(“%s”, userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.

 

Source: Apache


Log4jscanner

There is a commandline tool (build via Go package) for scanning and rewriting / actively remove the vulnerable class from detected JARs in-place. You can use the git repository for further details.

 


XS Advanced applications

3131258 – [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA

As we can see from the note the following HANA systems are affected:

  • XSA
  • HANA Cockpit (which also is running as XSA application) – see also note 3131397

XSA runtime affected: Version <= 1.0.140 (currently – 2021/12/21 – there is a now a new version 1.0.141 which includes a fix 3130864 – EXTENDED APPLICATION SERVICES 1 Release Collection 1.0.141! It includes log4j version 2.16.0) [thanks to Matthias Sander and Sander Meijer ]

Determine XSA Runtime version

Login as sidadm:

xs version

Bild

Check if you can implement the mitigation parameters with version >= 2.10

 

 

Determine log4j version

find /hana/shared/<SID>/xs/uaaserver/tomcat -name "*log4j*"

Bild

 

XSA Advanced Runtime log4j version affected by
highest CVSS rating
<1.0.140 <2.15 CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 10
1.0.141 2.16.0 CVE-2021-45105 7,5
1.0.142 2.17.0 CVE-2021-44832 6,6
? 2.17.1

Download patch search:

https://launchpad.support.sap.com/#/softwarecenter/template/products/%20_APP=00200682500000001943&_EVENT=DISPHIER&HEADER=Y&FUNCTIONBAR=N&EVENT=TREE&NE=NAVIGATE&ENR=73555000100200004274&V=MAINT&TA=ACTUAL&PAGE=SEARCH/SAP%20EXTENDED%20APP%20SERVICES%201

 

There is a patch for HANA Cockpit SP14 Patch 5 from RTC 2021/12/31 which includes the XS Advanced Runtime 1.0.142. (Summary SP14)

 

Determine XSA Cockpit version

xs spaces
xs login -s <SPACE>
xs lc

 

XSA COCKPIT version
log4j version affected by
highest CVSS rating
<1.1.23 <2.15.0 CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 10
1.1.23 2.15.0 CVE-2021-45046, CVE-2021-45105 9
1.1.24 2.16.0 CVE-2021-45105 7,5
1.1.25 2.17.0 CVE-2021-44832 6,6
1.1.26 2.17.1

Download patch search:

https://launchpad.support.sap.com/#/softwarecenter/search/XSA%2520COCKPIT%25201

Attention

From the note: On SAP HANA systems with enabled System Replication (HSR), execute step 1 on the primary and all secondary systems. Executing steps 2-4 is required on the primary system, only.

 

Upgade/Update issue
If you installed HANA cockpit as well, it is not recommended to upgrade XSA Cockpit separately.
Source: 3134932 – XSA Cockpit update fails with error “Selected component SAP HANA Cockpit Stack is not compatible with XSAC_XSA_COCKPIT”
Credits to Matthias Sander for the hint.

Current information status is that all java version are affected. Also with deactivated class com.sun.jndi.ldap.object.trustURLCodebase .

>> It was initially reported by Lunasec that servers running on JDKs versions higher than 6u211, 7u201, 8u191 are not affected by the LDAP RCE attack vector, as the com.sun.jndi.ldap.object.trustURLCodebase is disabled by default, hence JNDI cannot load a remote codebase using LDAP. However, further analysis by the community has revealed that all JDK versions are vulnerable to this kind of attack. Alvaro Muñoz commented on Twitter the deserialization attacks are still possible with the latest JDK: “The ldap server will return a serialized object which will get deserialized. RCE depends on gadget availability in the classpath though” <<

Source: https://www.infoq.com/news/2021/12/log4j-zero-day-vulnerability/

Check the used java version:

cd /hana/shared/<SID>/xs/sapjvm_*/bin
./java -version

 


 

Implementation of the parameters

login as sidadm

cdcoc
cp -p xsuaaserver.ini xsuaaserver.ini.bkp
cat xsuaaserver.ini
#if only the section [configuration] is available (default):
echo "UAA.Jvm.AdditionalParameters = -Dlog4j2.formatMsgNoLookups=true" >> xsuaaserver.ini
cat xsuaaserver.ini
#if not, insert the line via vi
vi xsuaaserver.ini

 

check your XSA before you apply changes:

XSA diagnose
XSA backup-ssfs
XSA backup-fss

To find vulnerable XS advanced applications with respect to CVE-2021-44228:

xs-admin-login
xs find-artifacts -n "log4j-core*"

mitigations – note that due other CVE’s than CVE-2021-44228 that an update is strongly recommended:

  1. set workaround environment parameter LOG4J_FORMAT_MSG_NO_LOOKUPS to true
  2. remove the JndiLookup class from the classpath
xs-admin-login
xs urevg --add LOG4J_FORMAT_MSG_NO_LOOKUPS true
cdxs
zip -q -d ./uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
zip -q -d ./uaaserver/tomcat/webapps/uaa-security-oidc/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

 

XSA restart
!!!This will restart your XSA services which means your applications will not be available for 15-30min!!!

 

check xsuaaserver.out for the correct variables / parameters:

cdtrace
grep -i log4j xsuaaserver.out

 

as mentioned by Sathiyaraj Jagadesh you can also check the parameters via revg:

xs revg | grep -i log4j

 

Check after implementation

XSA diagnose

Check the output in the trace directory: /hana/shared/<SID>/<hostname>/trace/xsa_diagnose_results.txt


 

As soon as there are updates on this topic I will update the blog.

 

SAP Security Patch Day – December 2021

https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021

https://securitybridge.com/sap-patchday/sap-security-patch-day-december-2021/

 

Further sources:

https://logging.apache.org/log4j/2.x/security.html

https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

https://www.infoq.com/news/2021/12/log4j-zero-day-vulnerability/

https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf

https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/

https://github.com/google/log4jscanner

Assigned Tags

      41 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Andreas Jankowiak
      Andreas Jankowiak

      Thank you very much Jens!

      Author's profile photo Sathiyaraj Jagadesh
      Sathiyaraj Jagadesh

      Hello,

      One additional information, if you want to check after restart if the environment variable is set, then use below command,

      xs revg

      Retrieving the contents of the running environment variable group as ***_ADMIN...

      Variable Name Assigned Value
      --------------------------------------------
      LOG4J_FORMAT_MSG_NO_LOOKUPS true

       

      Author's profile photo Maxime Gillet
      Maxime Gillet

      Hello,

      Does this include the SAP BTP hana xs systems? if so what would be the procedure for those systems?

      my version is

      2.00.055.00.1615413201

      I saw this note but it is really not clear to me if I have to do anything about it. I don't know where I can find what version of log4j is used...

      Thanks/Regards

      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author

      Hi Maxime,

      in the latest document it is described:

      Appropriate patching or recommended temporary fixes were applied.

      • Customer Applications on BTP Neo Environment
      • Customer Applications on BTP Cloud Foundry Environment - Workaround
      • SAP HANA Service for BTP

      Just have look into 3130476 - Detecting and remediating log4j CVE-2021-44228 vulnerabilities in BTP Cloud Foundry applications if it applies to you.

       

      Regards,

      Jens

       

      Author's profile photo Maxime Gillet
      Maxime Gillet

      Thanks for the links and details, I was aware of those but was still not 100% clear.

      My concerns was actually more about SAP HANA XS systems hosted in BTP NEO environments.

      In  your latest document link there is one line saying BTP Neo is not impacted but later in the document there is this workaround note about Hana xs systems https://launchpad.support.sap.com/#/notes/3130698

      This is what is confusing to me.

      But If I understand right SAP Hana service for BTP covers hana xs systems also? so I should have no actions to perform on my side...

      Have a nice day

      Maxime

      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author

      There is no action to do on your side for BTP. The work around is affecting HANA XSA on prem edition not the BTP. For BTP cloud foundry you can double check this via note 3130476 .

      Author's profile photo Maxime Gillet
      Maxime Gillet

      Okay I understand better now thanks for your time !

      Author's profile photo Evelyn Curreri
      Evelyn Curreri

      Excellent information. Thanks for sharing!

      Author's profile photo Sadik Iqbal Siddiqui
      Sadik Iqbal Siddiqui

      Good information with nice procedure

      Author's profile photo Jens Hogenacker
      Jens Hogenacker

      Jens Gleichmann Hi Jens, just a small thing regarding the upper section of your post: SAP BusinessObjects is NOT affected (not impacted). That`s what is essentially stated in Note 3129956. BR Jens

      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author

      Hi Jens,

      nice to read from you. You are fully right - copy paste issue due to the fast writing procedure.

      Regards,

      Jens

      Author's profile photo Rudi Wiesmayr
      Rudi Wiesmayr

      Does anyone know when the XSA Patch 141 will be available here:
      https://launchpad.support.sap.com/#/softwarecenter/template/products/%20_APP=00200682500000001943&_EVENT=DISPHIER&HEADER=Y&FUNCTIONBAR=N&EVENT=TREE&NE=NAVIGATE&ENR=73555000100200004274&V=MAINT&TA=ACTUAL&PAGE=SEARCH/SAP%20EXTENDED%20APP%20SERVICES%201

      Kind regards, Rudi

      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author

      Hi Rudi,

      nice to read from you again. I think it will take some time because log4j version 2.15.0 will also not fix all issues (see CVE-2021-45046). I think they will include a new library and test again from scratch - so this will take some more days until XSA Runtime V1.0.141 will be released.

      Regards,

      Jens

       

      Author's profile photo Jonathan Wilson
      Jonathan Wilson

      Hi Jens,

       

      What happens if you are still running on log4j v1. We have checked our XSA & it is running v1.0.71.

      I checked the

       

      find /hana/shared/UHD/<SID>/xs/uaaserver/tomcat -name "*log4j*"
      /hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/log4j-1.2.17.jar
      /hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/slf4j-log4j12-1.7.24.jar
      /hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/classes/log4j-cf.properties
      /hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/classes/log4j.properties

      So don't believe workaround supplied by SAP is applicable.

      Thanks,

      Ajay

      Author's profile photo Sathiyaraj Jagadesh
      Sathiyaraj Jagadesh

      Hello Ajay,

      As per SAP suggestion, log4j 1* version were outdated since August 2015 so its highly advisable to update to log4j 2.16

      https://logging.apache.org/log4j/2.x/security.html

      Thanks.

      Author's profile photo Team ICT BASIS
      Team ICT BASIS

      Hi Jagadesh,

       

      I am really not sure if that statement is true. SAP is actively using log4j v1* in many of their products until now.

       

      While i understand log4j 1* is  out of support but my question is more about solution being proposed by SAP.

       

      Thanks,

      Ajay

      Author's profile photo Tobias Hagen
      Tobias Hagen

      Hello Ajay,

      log4j1 is not affected by this bug.

       

      Best  Regards

       

      Tobi

      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author

      Hi Ajay,

       

      as mentioned by Tobi, the log4j v1 is not affected and needs no fix or workaround. But in the end you should check if the product you are using is still in support. If any software uses outdated libs from 2015 you should consider to replace this software.

       

      Regards,

      Jens

      Author's profile photo Rommel Teodoro de Oliveira
      Rommel Teodoro de Oliveira

      Have you checked CVE-2021-4104?

      JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

       

       

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104

      https://access.redhat.com/security/cve/CVE-2021-4104

      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author

      This is correct but in context of CVE-2021-44228 it is not affected. In the end when a software wasn't patched for years there are several security vulnerabilities. So, CVE-2021-4104 is not the first and not the last one 😉

      Author's profile photo Jascha Schroeter
      Jascha Schroeter

      Hi Jens, with the Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.7 we found CVE-2021-4104 in Eclipse plugin com.sap.ndb.studio.modeler.cr4e.doc_2.3.62.jar (lib/log4j.jar). Is there any statement from SAP on this one? I haven't found anything relevant for this Eclipse plugin in the KB.

      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author

      Hi Jascha,

      as far as in understand you have scanned a windows client and found a Eclipse plugin from the studio modeler. As you can read in the document provided by SAP ABAP in Eclipse and HANA studio are not named as impacted. As far as it affects only clients I would not rate it too high 😉

       

      Regards,

      Jens

      Author's profile photo Jascha Schroeter
      Jascha Schroeter

      Hi Jens,

      Thanks for your answer, you're right. I also don't estimate a high risk, but our automatic scan triggers an alert. Do you know if there is any plan to upgrade the used library anytime soon? It's hard to classify all our software packages as client-only or not to make a kind of exemption-list.

      Author's profile photo Dirk Olderdissen
      Dirk Olderdissen

      Maybe the official communication from our SAP Security Team might help also. It contains a list of many SAP applications that are not affected and also some that are in mitigation. Please check the document regularly as it is get updated constantly.

      Document on the My Trust Center (Support Portal) - access requires an S-User:
      https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf

      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author

      Hi Dirk,

      the mentioned document is already linked and referred as source. I will add the detail that it will updated constantly as further hint.

       

      Regards,

      Jens

      Author's profile photo Sander Meijer
      Sander Meijer

      Hi Jens,

      Thanks for the informative blog.

      According to 3131258 - [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA you can upgrade to 1.0.141 (available now) or when this is not immediately possible, remove the JndiLookup.class from the jar-file. This should then fix XSA as a platform, but one should still check the XSA application on top of it. The latest xsa-cockpit, release 16.12.21, SP01 Patch23 for XSA COCKPIT 1) is based on 2.15.0. Any idea when 2.16.0 will be released?

       

      hostname:sidadm> xs lc

      Getting software components in org "ORG" / space "SAP" as XSA_ADMIN...
      Found software components:

      software component version
      ---------------------------------------
      XSAC_ALM_PI_UI (sap.com) 1.14.1
      XSAC_HRTT (sap.com) 2.12.20461
      XSAC_PORTAL_SERV (sap.com) 1.5.1
      XSAC_SAP_WEB_IDE (sap.com) 4.5.2
      XSAC_SERVICES (sap.com) 1.7.12
      XSAC_UI5_FESV5 (sap.com) 1.60.29
      XSAC_UI5_FESV6 (sap.com) 1.71.28
      XSAC_XSA_COCKPIT (sap.com) 1.1.23


      hostname:sidadm> xs find-artifacts -n "log4j-core*"

      Finding all artifacts of droplets with name wildcard "log4j-core*"...

      path: /
      + DROPLET of application "xsa-cockpit" with index 6 in space "SAP" of org "ORG" created at Dec 17, 2021 10:18:30 AM (1 RUNNING, 1 STOPPED)
      path: /app/
      + APP "xsa-cockpit" in space "SAP" of org "ORG" created at Nov 20, 2018 1:51:13 PM (STARTED)
      path: /app/WEB-INF/lib/log4j-core-2.15.0.jar
      JAR log4j-core 2.15.0
      path: /app/WEB-INF/lib/log4j-core-2.15.0.jar

      Found artifacts Affected droplets
      -----------------------------------
      2 1

       

      Thanks!

      Sander.

      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author

      Hi Sander,

       

      thanks for the info. log4j version 2.15.0 is included which means that still CVE-2021-45046 is valid for 1.0.141. Only log4j version 2.16.0 will fix it completely.

       

      Regards,

      Jens

      Author's profile photo Sander Meijer
      Sander Meijer

      Not sure if XSA 1.0.141 includes 2.15.0 für the uaaserver (did not have the option yet to test the upgrade). The xsa-cockpit component however still uses it in the latest version.

      Author's profile photo Sander Meijer
      Sander Meijer

      Hi Jens,

      Found the time to update a sandbox to 1.0.141. This includes 2.16.0.

      ./uaaserver/tomcat/webapps/uaa-security-oidc/WEB-INF/lib/log4j-core-2.16.0.jar
      ./uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/log4j-core-2.16.0.jar

      So it is definitely "just" xsa-cockpit which is still based on 2.15.0.

      Update: new note confirms this version 1.1.23 contains 2.5.0: 3131397 - [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit

      Am eagerly waiting on a version with 2.16.0 there as well.

      Cheers,

      Sander.

       

      Author's profile photo Sander Meijer
      Sander Meijer

      XSA Cockpit version 1.1.24 was just released which indeed hat 2.16.0.

       

      hostname> xs find-artifacts -n "log4j-core*"
      
      Finding all artifacts of droplets with name wildcard "log4j-core*"...
      
      path: /
      + DROPLET of application "xsa-cockpit" with index 8 in space "SAP" of org "ORG" created at Dec 18, 2021 10:57:31 AM (1 RUNNING, 2 STOPPED)
      path: /app/
      + APP "xsa-cockpit" in space "SAP" of org "ORG" created at Nov 20, 2018 1:51:13 PM (STARTED)
      path: /app/WEB-INF/lib/log4j-core-2.16.0.jar
      JAR log4j-core 2.16.0
      path: /app/WEB-INF/lib/log4j-core-2.16.0.jar
      Author's profile photo Nipun Mahajan
      Nipun Mahajan

      Hi Jens,

      Do you know if the fix for HANA XS is sustainable or do we need to change it again because of the recent update on the log4j vulnerability?

      Nipun

      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author

      Hi Nipun,

      AFAIK the XS classic is not explicitly named as affected. The classic XS JavaScript (XSJS) is supported by a framework running in the Node.js run time. Means that no log4j java class is implemented. But to be on the save side, you have to open an OSS ticket. Be aware that XSC is deprecated since a long time and all appliciations should be migrated to XSA.

      Regards,

      Jens

       

      Author's profile photo Nicolas Melchert
      Nicolas Melchert

      Hi,

      thanks for this valueable Post !

      I was able to find EXTAPPSER00P_142-70001316.SAR which seems to be XCA PL142.

      Unfortunately there can no further information be foudn in the Marketplace if this covers log4j 2.17

      Do you probably have any insights here ?

      Thanks in advance !

      Nicolas

       

       

      Author's profile photo Bjoern Straatmann
      Bjoern Straatmann

      Hi *,

      first I would like to thank everyone and especially Jens for sharing these information's.

      Just wanted to confirm that EXTAPPSER00P_142-70001316.SAR covers log4j 2.17.

      xs version

      Client version: xs v1.0.142

       

      find /hana/shared/$SID/xs/uaaserver/tomcat -name "*log4j-core*"
      /hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/log4j-core-2.17.0.jar
      /hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security-oidc/WEB-INF/lib/log4j-core-2.17.0.jar

      Br,
      Björn

       

       

      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author

      Hi Björn,

      thanks for cross checking. XSACXSACOCKPIT01_25-80002644.ZIP (1.1.25) and EXTAPPSER00P_142-70001316.SAR (1.0.142) are including the latest log4j fix 2.17.0. Currently there are no known CVE's / vulnerabilities which were not fixed by this patch. This means for everybody to patch the system to this patchlevel to avoid a security breach.

      Thanks & merry X-mas

      Jens

      Author's profile photo Vikas Sreedharan
      Vikas Sreedharan

      Any update on 2.17.1 version of log4j for SAP.

      We have vulnerability 376209 - Apache Log4j Remote Code Execution (RCE) Vulnerability (CVE-

      2021-44832), reported via Qualys tool.

      And solution suggested is log4j be updated to version 2.17.1

      In the blog, it is told 2.17.1 is not yet available.

      Any plans for release of version 2.17.1?

      Thanks,

      Vikas

      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author

      Hi Vikas,

      it is still the latest status. There is no released XSA COCKPIT or XS Advanced Runtime version for log4j 2.17.1. I don't have any release details for RTC of it.

       

      Regards,

      Jens

      Author's profile photo Vikas Sreedharan
      Vikas Sreedharan

      Hi Jens,

      There is another Qualys Vulnerability reported in our servers w.r.t log4j

      106032 EOL/Obsolete Software: Apache Log4j 1.X Detected

      it is pointing to "ds/log4j-1.2.17.jar#"

      Customers are advised to upgrade to Apache Log4j 2.X, for more information please refer to

      https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces

      Has SAP released log4j 2X versions?

      https://www.google.com/search?q=site:sap.com+"Log4j 2"

       

      Support team says that SAP has not released log4j version 2x for hana systems

      Is this info correct?

      Thanks,

      Vikas

      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author

      Hi Vikas,

       

      please read the blog carefully. log4j V1 is not supported anymore. In the components mentioned in this blog there are updates of log4j V2 available. This indicates the 2 in the version of log4j: 2.17.0

      Which support teams says there is no version 2? What is meant by "for hana systems". A blank HANA installation doesn't include java and so there is nothing to patch. Only when it comes to XSA there is something to do. But please read the blog and its sources properly. This will anwer all your questions. If there is still something unclear please open an OSS ticket.

       

      Regards,

      Jens

      Author's profile photo Sathiyaraj Jagadesh
      Sathiyaraj Jagadesh

      Hello SAP Stalwarts,

      XSA Cockpit version 1.1.26 released on 22nd Jan 2022 includes log4j 2.17.1 (log4j-api-2.17.1.jar & log4j-core-2.17.1.jar) version jar files. So we should be good to update this XSA Cockpit version. 

      We still have to wait for SAP to release XSA Version and HANA Cockpit version with log4j 2.17.1 version.

      Download Zip file -XSACXSACOCKPIT01_26-80002644.ZIP

      Thanks

      Sathya

       

      Author's profile photo Jens Gleichmann
      Jens Gleichmann
      Blog Post Author

      Hi Sathya,

       

      thanks for the update on this. I recently added this detail to the blog. The note which should describe it in detail is currenctly not officially available ("is being created").

       

      Regards,

      Jens