Update: (Dec 13,2021) SAP released ~20 notes on log4j, indicating most software is not impacted, apart from:
Big shout out to all heroes working this weekend in software development, bug fixing, certs, socs, blue teams and alike on the recent disclosed vulnerability in Apache log4j. This open source component is used for logging purposes and included in many commercial software products like Vmware, Twitter, Docker, Minecraft and many many others.
But how about SAP products? Should customers take action?
For now, the impact of this vulnerability seems limited when it comes to SAP products. A search on the marketplace on the cve-name shows a couple of notes SAP has released already on the topic. It is our expectation that in the coming days these will be extended for other products but for now it seems that at least the following products are not affected:
Our own research on SAP business Objects showed that the log4j jar file is present but not being used and is not exploitable in the default setup.
Further research is needed as this vulnerability is rather fresh and we expect SAP to keep updating customers on this topic. Luckily for now it seems the impact is low and once again underlining the attention we should give to re-use of open-source software components and the need for proper vulnerability management processes.
If you would like to learm more about, or start a free trial of, Protect4S Automated SAP Vulnerability Scanning and Remediation software then please contact us at firstname.lastname@example.org or complete the contact form via the below link.