User Experience Insights
SAP IdM and recent log4j 2 vulnerabilities (CVE-2021-44228)
This blog is related to a recent issues with the popular Java logging library log4j version 2 (open source component for logging and tracing of application events) — only touching on the topic related to SAP IdM and the components that might be related to it, such as the AS Java, ASE, Oracle, VDS. You will find a more general discussion of this CVE, SAP impact and mitigation at this SAP Note 3130476 – Detecting and remediating log4j CVE-2021-44228 vulnerabilities in BTP Cloud Foundry applications.
Critical security problem was discovered that allows attackers to exploit applications with low effort and causing severe security impact. Here are some nice links related to those vulnerability findings regarding log4j 2 – CVE-2021-44228 – Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec
The main issue related to IdM is the impact we have on SAP NetWeaver Application Server Java Core Components:
And the solution provided by SAP:
- Open Config Tool “\usr\sap\<SID>\<instnr>\j2ee\configtool/configtool.sh (Unix) or configtool.bat (Windows)”.
- Choose “View” -> Expert Mode.
- Navigate to “cluster-data” -> template -> in the right pane click on “VM Parameters” -> System.
- Add “New” parameter with name “log4j2.formatMsgNoLookups” and value “true”.
- Maintain the same parameter and value also in instance(s) level: cluster-data -> template -> instance.
- Save Config Tool.
- Restart J2EE Engine Cluster.
IdM running on Oracle should be fine, based on the SAP note – 3130747 and the same for ASE (SAP note 3129897)
Based on the initial impression, SAP IdM is not using this library log4j version 2. In case of the VDS/Eclipse and the customizing log4j config (external\log4j.properties in VDS home directory), it should be checked.
Additional info on this topic – Log4j – Apache Log4j Security Vulnerabilities
SAP NetWeaver Application Server Java Core can be affected, but we have a workaround in SAP Note – 3129883 (… add “New” parameter with name “log4j2.formatMsgNoLookups” and value “true”).
At the end .. seems it’s fine that IdM was not to ahead of the time and kept to old know technologies 😀 and here is the official SAP note related to IdM – 3131771 – Log4j Vulnerability on IDM System – SAP ONE Support Launchpad
In case of any new updates on the subject, I will try to keep the blog updated as well.
New note related to the VDS – 1836761 – VDS: StackOverflowError when using Log4J logging – SAP ONE Support Launchpad