Critical Vulnerability in log4j – Impact on SAP (HCM)?
The BSI (Federal Office for Information Security) has issued a cybersecurity warning of the highest severity level, known as ‘Red Alert,’ for the critical vulnerability (log4shell) in the widely used Java library log4j.
What does this mean in the context of SAP, and what measures should you take now?
Our partner company, smarterSec GmbH, has published a blog article on this topic. You can find the full article here:
br
Background
The open-source Java library log4j provides general services for creating and managing application logs and is widely used as part of the Apache Software Foundation. The vulnerability known as ‘log4shell’ allows for Remote Code Execution (RCE), which means loading and executing source code remotely. Exploiting this vulnerability is relatively straightforward.
Context for SAP Applications
Since the discovery of the vulnerability, several SAP notes have been released. We recommend analyzing all of these notes and checking for applicability. Implementable corrections should be urgently applied (according to your organization’s applicable hotfix/emergency transport process). Additionally, in the coming days, regularly review the new SAP notes for further corrections related to log4shell.
SAP Add-Ons and Non-SAP Interfaces
If an affected release of the log4j library is used in an add-on, it cannot typically be replaced directly by end-users. Similar to SAP, many add-on providers have already provided or will soon provide appropriate patches. We strongly recommend applying patches provided by the manufacturer immediately. As mentioned above, the critical functionality from log4j can be deactivated through configuration until a patch is delivered. This should be done only upon the manufacturer’s recommendation. If such a recommendation from the manufacturer is not yet available, we recommend inquiring about the status of the add-on regarding the log4shell vulnerability.
Impact on scdsoft Add-On Solutions
Regarding our scdsoft add-on solutions, we can provide reassurance: Our tools are based on Web Dynpro ABAP technology, which does not use Java. Therefore, there is no action required for any of our scdsoft add-on solutions.