Home / Tech Tip / BusinessObjects / Tech Tip: Log4j Java Library Vulnerability and SAP BusinessObjects

Tech Tip: Log4j Java Library Vulnerability and SAP BusinessObjects

Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java.(1) The problem lies in Log4j, a ubiquitous, open-source Apache logging framework that developers use to keep a record of activity within an application.(2)

What is Log4j?

Log4j is an open-source logging framework written in Java. It’s a toolkit designed to make the process of writing log messages, configuring their destinations, and installing them to your application quick and easy. It provides extensive control over properties, levels, appenders, formatting using the well-known layout models common to logging frameworks.

Log4j Vulnerability

On December 9, 2021, a zero-day vulnerability involving arbitrary code execution in Log4j 2 was reported.(3) A zero-day exploit is a security vulnerability that has not been published or patched by the vendor and one for which exploits are being actively developed. Chen Zhaojun of Alibaba Cloud Security Team first identified the Log4j vulnerability, rated at Critical vulnerability severity by Apache. This particular issue was identified in log4j2 and fixed in log4j 2.15.0.

Is SAP BusinessObjects Business Intelligence Platform (BI) 4.x Affected?

According to SAP, BusinessObjects is not impacted.(4)

  • SAP BusinessObjects BI Platform is not impacted by the CVE-2021-44228, which packages log4j version 1.2.6 (as of 4.3 SP02), earlier releases of BI may have older versions.
  • The log4j version can be determined by opening the log4j.jar file in a zipping tool, and reading the MANIFEST.MF file in META-INF
  • The version of Apache Struts included in the platform relies on log4j-api 2.12, which is not affected by the vulnerability. Only the module log4j-core is affected.
  • The impacted component is the main JNDI package. JNDI classes and methods are not used in the SAP BusinessObjects BI Platform.
  • Further security / mitigation against Remote Code Execution is available at the Java level in 8u121 and 8u191, therefore we recommend customers to be on a version of SAP BusinessObjects BI Platform that packages at least a version > 8u121. Therefore we recommend the minimum version that should be applied is 4.2 SP05. For more information about the versions of SAPJVM (and which Oracle JVM version they are based on) supplied per BI version, see:
    2914488 – List of Bundled SAP JVM versions shipped with selected Patches of SAP BusinessObjects Business Intelligence Platform 4.x
  • An update from 1.2.6 to 2.15 is planned for a future release.

References:

1. Security warning: New zero-day in the Log4j Java library is already being exploited
Danny Palmer, Senior Reporter, ZDNet
https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/

2. ‘The Internet Is on Fire’
A vulnerability in the Log4j logging framework has security teams scrambling to put in a fix.
LILY HAY NEWMAN, Wired
https://www.wired.com/story/log4j-flaw-hacking-internet/

3. What’s the Deal with the Log4Shell Security Nightmare?
Nicholas Weaver, Lawfare
https://www.lawfareblog.com/whats-deal-log4shell-security-nightmare

4. KBA 3129956 – CVE-2021-44228 – BusinessObjects impact for Log4j vulnerability. SAP ONE Support Launchpad

About webadmin

INFOSOL is a leading provider of SAP BusinessObjects, consulting, products, education and technical support throughout North America. With an in-house product development team and partnerships with other leading Business Intelligence solutions providers around the world, INFOSOL offers the best-in-class and most innovative SAP BusinessObjects add-on solutions. These include InfoBurst for Automated Report and Dashboard Bursting and Publishing along with Intelligent Cache Query for optimal Xcelsius performance and scalability. Having more than 15 years experience in providing end-to-end Business Intelligence applications, INFOSOL has learned to see beyond the data and deliver visionary solutions that inspire.

Check Also

Let's Speak BO Webinar - Upcoming Event

Let’s Speak BO Webinar: What is Coming Next in 4.3 on Tuesday, October 4th

We will be joined by SAP France and they will let us know what is …

Leave a Reply

Your email address will not be published.