Technical Articles
HANA XSA log4j CVE-2021-44228
last updated: 2022-03-10 10:20 CET
Currently the security topic log4j (CVE-2021-44228 – CVSS score 10 of 10 and also others) is omnipresent. I want to show in this blog how you can check your HANA XSA systems and implement the mitigation. As well as to check if the settings are correct.
Source: GovCERT.ch
The fix which should be provided by log4j version 2.15.0 is inclomplete in certain non default configurations – so a new CVE raised: CVE-2021-45046 (initial CVSS score 3,7 – now 9,0 / 10) This one will be fixed with log4j 2.16.0 Details: lunasec |
There is a new vulnerability called CVE-2021-45105 rated with a CVSS of 7,5. This one will be fixed with log4j 2.17.0 which is now included in the latest XSA runtime version 1.0.142. |
There is another new vulnerability called CVE-2021-44832 rated with a CVSS of 6,6. This one will be fixed with log4j 2.17.1 which is now included in the latest patch XSA runtime version 1.0.143 and XSA Cockpit 1.1.26. |
Overview
CVE | effect |
fixed by log4j version | CVSS score |
mitigation via WA available |
Release date |
CVE-2021-44228 | execute arbitrary code loaded from LDAP servers | 2.16.0 | 10 | X | 20211126 |
CVE-2021-45046 | remote code execution in some environments + local code execution | 2.16.0 | 9 | X | 20211214 |
CVE-2021-45105 | stack overflow / DOS – denial of service | 2.17.0 | 7,5 | X | 20211216 |
CVE-2021-44832 | remote code execution (RCE) attack | 2.17.1 | 6,6 | – | 20211211 |
To query the CVE database for all log4j vulnerabilities use this link for searching.
Overall currently affected products by SAP can be identified by using this document. It will be updated constantly. Last update is from 2022/03/09 15:55 EST (thanks to Kuto Baran for the hint)
There is a new central note for an overview (thanks to Matthias Sander for the hint):
Hint: Mark the note as favorite (star in the upper right corner) to get notified for any update on it. |
To mention some popular once:
- Cloud connector is not affected (Note: 3130868)
- BusinessObjects is not affected (Note: 3129956) – This applies to all the SAP BI products listed in the Environment section of the above mentioned document
- SAP NetWeaver Application Server Java is not impacted by the CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105. This applies to all the AS Java Core Components. Applications running on top of it using the libs can be affected! (Note: 3129883)
- SAP NetWeaver Process Integration is affected (Note: 3131436/ 3130521)
- BTP Cloud Foundry applications can be affected (Note: 3130476 / 3131208)
Mitigation CVE-2021-44228
Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.
Log4j 2.x mitigation: Implement one of the mitigation techniques below.
- Java 8 (or later) users should upgrade to release 2.16.0.
- Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
- Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.
The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf(“%s”, userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.
Source: Apache
Log4jscanner
There is a commandline tool (build via Go package) for scanning and rewriting / actively remove the vulnerable class from detected JARs in-place. You can use the git repository for further details.
XS Advanced applications
As we can see from the note the following HANA systems are affected:
- XSA
- HANA Cockpit (which also is running as XSA application) – see also note 3131397
XSA runtime affected: Version <= 1.0.140 (currently – 2021/12/21 – there is a now a new version 1.0.141 which includes a fix 3130864 – EXTENDED APPLICATION SERVICES 1 Release Collection 1.0.141! It includes log4j version 2.16.0) [thanks to Matthias Sander and Sander Meijer ]
Determine XSA Runtime version
Login as sidadm:
xs version
Check if you can implement the mitigation parameters with version >= 2.10
Determine log4j version
find /hana/shared/<SID>/xs/uaaserver/tomcat -name "*log4j*"
XSA Advanced Runtime | log4j version | affected by |
highest CVSS rating |
<1.0.140 | <2.15 | CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 | 10 |
1.0.141 | 2.16.0 | CVE-2021-45105 | 7,5 |
1.0.142 | 2.17.0 | CVE-2021-44832 | 6,6 |
1.0.143 | 2.17.1 | – | – |
Download patch search:
There is a patch for HANA Cockpit SP14 Patch 6 from RTC 2022/03/02 which includes the XS Advanced Runtime 1.0.143. (Summary SP14)
Thanks to Joerg Latza for posting the details.
Determine XSA Cockpit version
xs spaces
xs login -s <SPACE>
xs lc
XSA COCKPIT version |
log4j version | affected by |
highest CVSS rating |
<1.1.23 | <2.15.0 | CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 | 10 |
1.1.23 | 2.15.0 | CVE-2021-45046, CVE-2021-45105 | 9 |
1.1.24 | 2.16.0 | CVE-2021-45105 | 7,5 |
1.1.25 | 2.17.0 | CVE-2021-44832 | 6,6 |
1.1.26 | 2.17.1 | – | – |
Download patch search:
https://launchpad.support.sap.com/#/softwarecenter/search/XSA%2520COCKPIT%25201
Attention From the note: On SAP HANA systems with enabled System Replication (HSR), execute step 1 on the primary and all secondary systems. Executing steps 2-4 is required on the primary system, only. |
Upgade/Update issue If you installed HANA cockpit as well, it is not recommended to upgrade XSA Cockpit separately. Source: 3134932 – XSA Cockpit update fails with error “Selected component SAP HANA Cockpit Stack is not compatible with XSAC_XSA_COCKPIT” Credits to Matthias Sander for the hint. |
Current information status is that all java version are affected. Also with deactivated class com.sun.jndi.ldap.object.trustURLCodebase .
>> It was initially reported by Lunasec that servers running on JDKs versions higher than 6u211, 7u201, 8u191 are not affected by the LDAP RCE attack vector, as the
com.sun.jndi.ldap.object.trustURLCodebase
is disabled by default, hence JNDI cannot load a remote codebase using LDAP. However, further analysis by the community has revealed that all JDK versions are vulnerable to this kind of attack. Alvaro Muñoz commented on Twitter the deserialization attacks are still possible with the latest JDK: “The ldap server will return a serialized object which will get deserialized. RCE depends on gadget availability in the classpath though” <<
Source: https://www.infoq.com/news/2021/12/log4j-zero-day-vulnerability/
Check the used java version:
cd /hana/shared/<SID>/xs/sapjvm_*/bin
./java -version
Implementation of the parameters
login as sidadm
cdcoc
cp -p xsuaaserver.ini xsuaaserver.ini.bkp
cat xsuaaserver.ini
#if only the section [configuration] is available (default):
echo "UAA.Jvm.AdditionalParameters = -Dlog4j2.formatMsgNoLookups=true" >> xsuaaserver.ini
cat xsuaaserver.ini
#if not, insert the line via vi
vi xsuaaserver.ini
check your XSA before you apply changes:
XSA diagnose
XSA backup-ssfs
XSA backup-fss
To find vulnerable XS advanced applications with respect to CVE-2021-44228:
xs-admin-login
xs find-artifacts -n "log4j-core*"
mitigations – note that due other CVE’s than CVE-2021-44228 that an update is strongly recommended:
- set workaround environment parameter LOG4J_FORMAT_MSG_NO_LOOKUPS to true
- remove the JndiLookup class from the classpath
xs-admin-login
xs urevg --add LOG4J_FORMAT_MSG_NO_LOOKUPS true
cdxs
zip -q -d ./uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
zip -q -d ./uaaserver/tomcat/webapps/uaa-security-oidc/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
XSA restart
!!!This will restart your XSA services which means your applications will not be available for 15-30min!!! |
check xsuaaserver.out for the correct variables / parameters:
cdtrace
grep -i log4j xsuaaserver.out
as mentioned by Sathiyaraj Jagadesh you can also check the parameters via revg:
xs revg | grep -i log4j
Check after implementation
XSA diagnose
Check the output in the trace directory: /hana/shared/<SID>/<hostname>/trace/xsa_diagnose_results.txt
As soon as there are updates on this topic I will update the blog.
I would wish SAP could list the components and versions of each patch. Having this information would save any customer a lot of time trying to figure out the right patch levels. Currently, these details are not published in any note or document. Nowadays it should not be impossible to provide such details.
SAP Security Patch Day – December 2021
https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021
https://securitybridge.com/sap-patchday/sap-security-patch-day-december-2021/
Further sources:
https://logging.apache.org/log4j/2.x/security.html
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
https://www.infoq.com/news/2021/12/log4j-zero-day-vulnerability/
https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/
Thank you very much Jens!
Hello,
One additional information, if you want to check after restart if the environment variable is set, then use below command,
xs revg
Retrieving the contents of the running environment variable group as ***_ADMIN...
Variable Name Assigned Value
--------------------------------------------
LOG4J_FORMAT_MSG_NO_LOOKUPS true
Hello,
Does this include the SAP BTP hana xs systems? if so what would be the procedure for those systems?
my version is
I saw this note but it is really not clear to me if I have to do anything about it. I don't know where I can find what version of log4j is used...
Thanks/Regards
Hi Maxime,
in the latest document it is described:
Appropriate patching or recommended temporary fixes were applied.
Just have look into 3130476 - Detecting and remediating log4j CVE-2021-44228 vulnerabilities in BTP Cloud Foundry applications if it applies to you.
Regards,
Jens
Thanks for the links and details, I was aware of those but was still not 100% clear.
My concerns was actually more about SAP HANA XS systems hosted in BTP NEO environments.
In your latest document link there is one line saying BTP Neo is not impacted but later in the document there is this workaround note about Hana xs systems https://launchpad.support.sap.com/#/notes/3130698
This is what is confusing to me.
But If I understand right SAP Hana service for BTP covers hana xs systems also? so I should have no actions to perform on my side...
Have a nice day
Maxime
There is no action to do on your side for BTP. The work around is affecting HANA XSA on prem edition not the BTP. For BTP cloud foundry you can double check this via note 3130476 .
Okay I understand better now thanks for your time !
Excellent information. Thanks for sharing!
Good information with nice procedure
Jens Gleichmann Hi Jens, just a small thing regarding the upper section of your post: SAP BusinessObjects is NOT affected (not impacted). That`s what is essentially stated in Note 3129956. BR Jens
Hi Jens,
nice to read from you. You are fully right - copy paste issue due to the fast writing procedure.
Regards,
Jens
Does anyone know when the XSA Patch 141 will be available here:
https://launchpad.support.sap.com/#/softwarecenter/template/products/%20_APP=00200682500000001943&_EVENT=DISPHIER&HEADER=Y&FUNCTIONBAR=N&EVENT=TREE&NE=NAVIGATE&ENR=73555000100200004274&V=MAINT&TA=ACTUAL&PAGE=SEARCH/SAP%20EXTENDED%20APP%20SERVICES%201
Kind regards, Rudi
Hi Rudi,
nice to read from you again. I think it will take some time because log4j version 2.15.0 will also not fix all issues (see CVE-2021-45046). I think they will include a new library and test again from scratch - so this will take some more days until XSA Runtime V1.0.141 will be released.
Regards,
Jens
Hi Jens,
What happens if you are still running on log4j v1. We have checked our XSA & it is running v1.0.71.
I checked the
find /hana/shared/UHD/<SID>/xs/uaaserver/tomcat -name "*log4j*"
/hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/log4j-1.2.17.jar
/hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/slf4j-log4j12-1.7.24.jar
/hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/classes/log4j-cf.properties
/hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/classes/log4j.properties
So don't believe workaround supplied by SAP is applicable.
Thanks,
Ajay
Hello Ajay,
As per SAP suggestion, log4j 1* version were outdated since August 2015 so its highly advisable to update to log4j 2.16
https://logging.apache.org/log4j/2.x/security.html
Thanks.
Hi Jagadesh,
I am really not sure if that statement is true. SAP is actively using log4j v1* in many of their products until now.
While i understand log4j 1* is out of support but my question is more about solution being proposed by SAP.
Thanks,
Ajay
Hello Ajay,
log4j1 is not affected by this bug.
Best Regards
Tobi
Hi Ajay,
as mentioned by Tobi, the log4j v1 is not affected and needs no fix or workaround. But in the end you should check if the product you are using is still in support. If any software uses outdated libs from 2015 you should consider to replace this software.
Regards,
Jens
Have you checked CVE-2021-4104?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
https://access.redhat.com/security/cve/CVE-2021-4104
This is correct but in context of CVE-2021-44228 it is not affected. In the end when a software wasn't patched for years there are several security vulnerabilities. So, CVE-2021-4104 is not the first and not the last one 😉
Hi Jens, with the Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.7 we found CVE-2021-4104 in Eclipse plugin com.sap.ndb.studio.modeler.cr4e.doc_2.3.62.jar (lib/log4j.jar). Is there any statement from SAP on this one? I haven't found anything relevant for this Eclipse plugin in the KB.
Hi Jascha,
as far as in understand you have scanned a windows client and found a Eclipse plugin from the studio modeler. As you can read in the document provided by SAP ABAP in Eclipse and HANA studio are not named as impacted. As far as it affects only clients I would not rate it too high 😉
Regards,
Jens
Hi Jens,
Thanks for your answer, you're right. I also don't estimate a high risk, but our automatic scan triggers an alert. Do you know if there is any plan to upgrade the used library anytime soon? It's hard to classify all our software packages as client-only or not to make a kind of exemption-list.
Hi Jascha,
sorry I'm not aware of the current roadmap. You have to open an OSS message to get this details from SAP.
Regards,
Jens
Maybe the official communication from our SAP Security Team might help also. It contains a list of many SAP applications that are not affected and also some that are in mitigation. Please check the document regularly as it is get updated constantly.
Document on the My Trust Center (Support Portal) - access requires an S-User:
https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf
Hi Dirk,
the mentioned document is already linked and referred as source. I will add the detail that it will updated constantly as further hint.
Regards,
Jens
Hi Jens,
Thanks for the informative blog.
According to 3131258 - [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA you can upgrade to 1.0.141 (available now) or when this is not immediately possible, remove the JndiLookup.class from the jar-file. This should then fix XSA as a platform, but one should still check the XSA application on top of it. The latest xsa-cockpit, release 16.12.21, SP01 Patch23 for XSA COCKPIT 1) is based on 2.15.0. Any idea when 2.16.0 will be released?
Thanks!
Sander.
Hi Sander,
thanks for the info. log4j version 2.15.0 is included which means that still CVE-2021-45046 is valid for 1.0.141. Only log4j version 2.16.0 will fix it completely.
Regards,
Jens
Not sure if XSA 1.0.141 includes 2.15.0 für the uaaserver (did not have the option yet to test the upgrade). The xsa-cockpit component however still uses it in the latest version.
Hi Jens,
Found the time to update a sandbox to 1.0.141. This includes 2.16.0.
So it is definitely "just" xsa-cockpit which is still based on 2.15.0.
Update: new note confirms this version 1.1.23 contains 2.5.0: 3131397 - [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit
Am eagerly waiting on a version with 2.16.0 there as well.
Cheers,
Sander.
XSA Cockpit version 1.1.24 was just released which indeed hat 2.16.0.
Hi Jens,
Do you know if the fix for HANA XS is sustainable or do we need to change it again because of the recent update on the log4j vulnerability?
Nipun
Hi Nipun,
AFAIK the XS classic is not explicitly named as affected. The classic XS JavaScript (XSJS) is supported by a framework running in the Node.js run time. Means that no log4j java class is implemented. But to be on the save side, you have to open an OSS ticket. Be aware that XSC is deprecated since a long time and all appliciations should be migrated to XSA.
Regards,
Jens
Hi,
thanks for this valueable Post !
I was able to find EXTAPPSER00P_142-70001316.SAR which seems to be XCA PL142.
Unfortunately there can no further information be foudn in the Marketplace if this covers log4j 2.17
Do you probably have any insights here ?
Thanks in advance !
Nicolas
Hi *,
first I would like to thank everyone and especially Jens for sharing these information's.
Just wanted to confirm that EXTAPPSER00P_142-70001316.SAR covers log4j 2.17.
xs version
Client version: xs v1.0.142
find /hana/shared/$SID/xs/uaaserver/tomcat -name "*log4j-core*"
/hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/log4j-core-2.17.0.jar
/hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security-oidc/WEB-INF/lib/log4j-core-2.17.0.jar
Br,
Björn
Hi Björn,
thanks for cross checking. XSACXSACOCKPIT01_25-80002644.ZIP (1.1.25) and EXTAPPSER00P_142-70001316.SAR (1.0.142) are including the latest log4j fix 2.17.0. Currently there are no known CVE's / vulnerabilities which were not fixed by this patch. This means for everybody to patch the system to this patchlevel to avoid a security breach.
Thanks & merry X-mas
Jens
Any update on 2.17.1 version of log4j for SAP.
We have vulnerability 376209 - Apache Log4j Remote Code Execution (RCE) Vulnerability (CVE-
2021-44832), reported via Qualys tool.
And solution suggested is log4j be updated to version 2.17.1
In the blog, it is told 2.17.1 is not yet available.
Any plans for release of version 2.17.1?
Thanks,
Vikas
Hi Vikas,
it is still the latest status. There is no released XSA COCKPIT or XS Advanced Runtime version for log4j 2.17.1. I don't have any release details for RTC of it.
Regards,
Jens
Hi Jens,
There is another Qualys Vulnerability reported in our servers w.r.t log4j
106032 EOL/Obsolete Software: Apache Log4j 1.X Detected
it is pointing to "ds/log4j-1.2.17.jar#"
Customers are advised to upgrade to Apache Log4j 2.X, for more information please refer to
https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces
Has SAP released log4j 2X versions?
https://www.google.com/search?q=site:sap.com+"Log4j 2"
Support team says that SAP has not released log4j version 2x for hana systems
Is this info correct?
Thanks,
Vikas
Hi Vikas,
please read the blog carefully. log4j V1 is not supported anymore. In the components mentioned in this blog there are updates of log4j V2 available. This indicates the 2 in the version of log4j: 2.17.0
Which support teams says there is no version 2? What is meant by "for hana systems". A blank HANA installation doesn't include java and so there is nothing to patch. Only when it comes to XSA there is something to do. But please read the blog and its sources properly. This will anwer all your questions. If there is still something unclear please open an OSS ticket.
Regards,
Jens
Hello SAP Stalwarts,
XSA Cockpit version 1.1.26 released on 22nd Jan 2022 includes log4j 2.17.1 (log4j-api-2.17.1.jar & log4j-core-2.17.1.jar) version jar files. So we should be good to update this XSA Cockpit version.
We still have to wait for SAP to release XSA Version and HANA Cockpit version with log4j 2.17.1 version.
Download Zip file -XSACXSACOCKPIT01_26-80002644.ZIP
Thanks
Sathya
Hi Sathya,
thanks for the update on this. I recently added this detail to the blog. The note which should describe it in detail is currenctly not officially available ("is being created").
Regards,
Jens
Just an update for Folks
There is a new Patch available now for Hana Cockpit 2.0
HANA Cockpit 2.14.6 contains the XSA v1.0.143 and XSA Cockpit 1.1.26, and the log4j is 2.17.1
SAPHANACOCKPIT14_6-70002299.SAR
Cheers..
Shreyas