RCE 0-day exploit found in log4j 2- Is SAP Affected?

Our partners at Protect4S have released the following information;


Update: (Dec 13,2021) SAP released ~20 notes on log4j, indicating most software is not impacted, apart from:

  • XS Advanced Runtime version 1.0.140 or lower (SAP note 3130698)
  • SAP Customer Checkout PoS and SAP Customer Checkout manager – in versions 2.0 FP09, 2.0 FP10, 2.0 FP11 PL06 (or lower) and 2.0 FP12 PL04 (or lower). (SAP note 3130499)


Big shout out to all heroes working this weekend in software development, bug fixing, certs, socs, blue teams and alike on the recent disclosed vulnerability in Apache log4j. This open source component is used for logging purposes and included in many commercial software products like Vmware, Twitter, Docker, Minecraft and many many others.

But how about SAP products? Should customers take action? 

For now, the impact of this vulnerability seems limited when it comes to SAP products. A search on the marketplace on the cve-name shows a couple of notes SAP has released already on the topic. It is our expectation that in the coming days these will be extended for other products but for now it seems that at least the following products are not affected:

Our own research on SAP business Objects showed that the log4j jar file is present but not being used and is not exploitable in the default setup.

Further research is needed as this vulnerability is rather fresh and we expect SAP to keep updating customers on this topic. Luckily for now it seems the impact is low and once again underlining the attention we should give to re-use of open-source software components and the need for proper vulnerability management processes.


If you would like to learm more about, or start a free trial of, Protect4S Automated SAP Vulnerability Scanning and Remediation software then please contact us at info@greymonarch.com or complete the contact form via the below link.

What Now? ...

Learn More about our SAP Vulnerability Scanning as a Service

Contact Us