Advisory: Apache log4j vulnerability (CVE-2021-45046)

Less than one minute read time.

Sage was alerted (Tuesday 14th December 2021) to a Common Vulnerabilities and Exposures notice (CVE-2021-45046) that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

Note that a previous mitigation involving configuration to set the system property log4j2.noFormatMsgLookup to true does NOT mitigate this specific vulnerability. Please see the Apache site for more details.

References
https://logging.apache.org/log4j/2.x/security.html
https://nvd.nist.gov/vuln/detail/CVE-2021-45046

The Apache Log4J 2 library is used in the 2020 R2, 2021 R1, and 2021 R2 versions of Sage CRM.

Patches for Sage CRM
Sage has 3 patches in test to update Apache Log4j to 2.16

Sage CRM 2020 R2
Sage CRM 2021 R1
Sage CRM 2021 R2

Availability of the patches will be announced on Sage City.

Please watch the following Sage City links for news:

Sage City page: https://www.sagecity.com/sage-global-solutions/sage-crm/f/sage-crm-announcements-news-and-alerts
Sage City feed: https://www.sagecity.com/sage-global-solutions/sage-crm/f/sage-crm-announcements-news-and-alerts/rss
This applies for Sage CRM stand-alone and when integrated with Sage accounting products. Sage 50, Sage 100, Sage 200, Sage 1000, Sage 300, Sage X3 and Sage Intacct.

Parents Comment
  • The issue is very specifically to do with the JNDILookup class - which was only introduced into Log4j version 2.0beta9. It doesn't exist in any version of log4j prior to that - such as log4j-1.2.16.jar that was shipped with CRM prior to 2020R2 (you can use a Java decompilation tool like Luytens to check this for yourself). CVE-2021-44228 explicitly states that the exploit affects versions 2.0beta9 to 2.14.1. So as far as assumptions go, it's a reasonably safe one.

Children