Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java.(1) The problem lies in Log4j, a ubiquitous, open-source Apache logging framework that developers use to keep a record of activity within an application.(2)
What is Log4j?
Log4j is an open-source logging framework written in Java. It’s a toolkit designed to make the process of writing log messages, configuring their destinations, and installing them to your application quick and easy. It provides extensive control over properties, levels, appenders, formatting using the well-known layout models common to logging frameworks.
On December 9, 2021, a zero-day vulnerability involving arbitrary code execution in Log4j 2 was reported.(3) A zero-day exploit is a security vulnerability that has not been published or patched by the vendor and one for which exploits are being actively developed. Chen Zhaojun of Alibaba Cloud Security Team first identified the Log4j vulnerability, rated at Critical vulnerability severity by Apache. This particular issue was identified in log4j2 and fixed in log4j 2.15.0.
Is SAP BusinessObjects Business Intelligence Platform (BI) 4.x Affected?
According to SAP, BusinessObjects is not impacted.(4)
- SAP BusinessObjects BI Platform is not impacted by the CVE-2021-44228, which packages log4j version 1.2.6 (as of 4.3 SP02), earlier releases of BI may have older versions.
- The log4j version can be determined by opening the log4j.jar file in a zipping tool, and reading the MANIFEST.MF file in META-INF
- The version of Apache Struts included in the platform relies on log4j-api 2.12, which is not affected by the vulnerability. Only the module log4j-core is affected.
- The impacted component is the main JNDI package. JNDI classes and methods are not used in the SAP BusinessObjects BI Platform.
- Further security / mitigation against Remote Code Execution is available at the Java level in 8u121 and 8u191, therefore we recommend customers to be on a version of SAP BusinessObjects BI Platform that packages at least a version > 8u121. Therefore we recommend the minimum version that should be applied is 4.2 SP05. For more information about the versions of SAPJVM (and which Oracle JVM version they are based on) supplied per BI version, see:
2914488 – List of Bundled SAP JVM versions shipped with selected Patches of SAP BusinessObjects Business Intelligence Platform 4.x
- An update from 1.2.6 to 2.15 is planned for a future release.
1. Security warning: New zero-day in the Log4j Java library is already being exploited
Danny Palmer, Senior Reporter, ZDNet
2. ‘The Internet Is on Fire’
A vulnerability in the Log4j logging framework has security teams scrambling to put in a fix.
LILY HAY NEWMAN, Wired
3. What’s the Deal with the Log4Shell Security Nightmare?
Nicholas Weaver, Lawfare
4. KBA 3129956 – CVE-2021-44228 – BusinessObjects impact for Log4j vulnerability. SAP ONE Support Launchpad