CVE-2021-44228 - BusinessObjects impact for Log4j vulnerability

JohnBClark · December 13, 2021, 7:51pm

A vulnerability related to Java log4j has been announced (CVE-2021-44228).

According to SAP KBA 3129956 - CVE-2021-44228 - BusinessObjects impact for Log4j vulnerability (SAP S-ID log in required), SAP Business Objects BI Platform is not impacted. This appears to be because Business Objects is released with an older version of the log4j (1.2.6) that is not impacted by the vulnerability.

SAP is recommending that you apply a minimum of BI 4.2 SP05 to have mitigation related to other Remote Code Execution vulnerabilities related to the Java versions bundled with the installations.

From what I have been able to determine, Crystal Reports is not impacted either.

This posting is a public service announcement only. The poster cannot provide support related to this topic.

Update, 14 December 2021
SAP has released an official statement with regards to this issue, it appears to be open to the general public (no S-ID login required).
SAP’s Response to CVE-2021-44228 Apache Log4j 2

kbrazell · December 14, 2021, 2:49am

Hurrah for not keeping up to date with libraries. Not sarcastic here. If it aint broke, don’t fix it.

julien · December 14, 2021, 9:37pm

log4j 1.x is not completely safe too with an EOL in 2015

JohnBClark · December 14, 2021, 9:51pm

My understanding is that SAP has added this to their list of items to update. We will have to see how long that takes them.

RichardC · December 15, 2021, 9:06pm

What about Tomcat version 8? Is it affected by the vulnerability?

JohnBClark · December 15, 2021, 9:23pm

From what I have seen, it does not affect the version of Tomcat that is bundled with Business Objects as all of the instances of log4j are version 1.x. If you have an installation of Tomcat that was not installed from the version bundled with Business Objects, it could be impacted. You will have to research Tomcat for what version of log4j it is using.

RichardC · December 22, 2021, 8:21pm

Thanks for the info JohnB!

JohnBClark · December 28, 2021, 2:16pm

For those with a SAP S-ID support login, there has been a request submitted to Customer Influence to have the log4j versions updated in Business Objects. Log4j version 1.x is end of life, for security policy best practices please upgrade.. You can add your vote if you like.