SAP IdM and recent log4j 2 vulnerabilities (CVE-2021-44228)

Hi all,

This blog is related to a recent issues with the popular Java logging library log4j version 2 (open source component for logging and tracing of application events) — only touching on the topic related to SAP IdM and the components that might be related to it, such as the AS Java, ASE, Oracle, VDS. You will find a more general discussion of this CVE, SAP impact and mitigation at this SAP Note 3130476 – Detecting and remediating log4j CVE-2021-44228 vulnerabilities in BTP Cloud Foundry applications.

Critical security problem was discovered that allows attackers to exploit applications with low effort and causing severe security impact. Here are some nice links related to those vulnerability findings regarding log4j 2 – CVE-2021-44228 – Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec

The main issue related to IdM is the impact we have on SAP NetWeaver Application Server Java Core Components:

3129883 – CVE-2021-44228 – AS Java Core Components’ impact for Log4j vulnerability – SAP ONE Support Launchpad

And the solution provided by SAP:

1. Open Config Tool “\usr\sap\<SID>\<instnr>\j2ee\configtool/configtool.sh (Unix) or configtool.bat (Windows)”.
2. Choose “View” -> Expert Mode.
3. Navigate to “cluster-data” -> template -> in the right pane click on “VM Parameters” -> System.
4. Add “New” parameter with name “log4j2.formatMsgNoLookups” and value “true”.
5. Maintain the same parameter and value also in instance(s) level: cluster-data -> template -> instance.
6. Save Config Tool.
7. Restart J2EE Engine Cluster.

2929868 – How to isolate Security Vulnerability issue from AS Java perspective – SAP ONE Support Launchpad

IdM running on Oracle should be fine, based on the SAP note – 3130747 and the same for ASE (SAP note 3129897)

3130747 – Oracle Security Alert for CVE-2021-44228 – Apache Log4j vulnerability – SAP ONE Support Launchpad

3129897 – CVE-2021-44228 – Log4j vulnerability – no impact on SAP Adaptive Server Enterprise (ASE) – SAP ONE Support Launchpad

Based on the initial impression, SAP IdM is not using this library log4j version 2. In case of the VDS/Eclipse and the customizing log4j config (external\log4j.properties in VDS home directory), it should be checked.

Additional info on this topic – Log4j – Apache Log4j Security Vulnerabilities

SAP NetWeaver Application Server Java Core can be affected, but we have a workaround in SAP Note – 3129883  (… add “New” parameter with name “log4j2.formatMsgNoLookups” and value “true”).

At the end .. seems it’s fine that IdM was not to ahead of the time and kept to old know technologies 😀 and here is the official SAP note related to IdM – 3131771 – Log4j Vulnerability on IDM System – SAP ONE Support Launchpad

In case of any new updates on the subject, I will try to keep the blog updated as well.

New note related to the VDS – 1836761 – VDS: StackOverflowError when using Log4J logging – SAP ONE Support Launchpad

Kind Regards,

Simona Lincheva