Apache Log4j vulnerability affect SAP
In December 2021, the critical vulnerability CVE-2021-44228 was discovered in Apache Log4j, a popular logging library for Java that affects a number of services, including Minecraft, Steam and Apple iCloud, etc. SAP customers are concerned about the extent to which business-critical SAP SE applications are affected.
The SAP security team is intensively testing the possible impact on SAP applications. To date, SAP has identified 32 applications affected by CVE-2021-44228. 20 of them have already been corrected, 12 are currently pending review.
The December release of SAP Security Patch Day does not list all the notes for information on log4j, a zero-day vulnerability in SAP products.
SAP releases December 2021 security updates
On the 14th of December 2021, SAP released a total of 15 new and updated security notes. Four of them are the highest Hot News notes.
SAP Security Note #2622660 is a recurring HotNews note that contains a SAP Business Client hotfix.
Note #3089831 with a CVSS rating of 9.9 is an updated September 2021 note. SAP says the update does not require any customer action.
SAP Security Note #3119365 with CVSS score of 9.9 fixes a code injection vulnerability [CVE-2021-44231] in a text extraction report in the SAP ABAP Server Translation Tools and ABAP Platform. The vulnerability could allow an attacker with low privileges to execute arbitrary commands in the background. It did not receive the highest CVSS score because privileges are required to exploit the vulnerability.
The second new HotNews note is SAP Security Note # 3109577. It has a CVSS rating of 9.9 and fixes several code execution vulnerabilities in SAP Commerce localization for China.