Advisory: Apache log4j vulnerability (CVE-2021-45046)

Less than one minute read time.

Sage was alerted (Tuesday 14th December 2021) to a Common Vulnerabilities and Exposures notice (CVE-2021-45046) that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

Note that a previous mitigation involving configuration to set the system property log4j2.noFormatMsgLookup to true does NOT mitigate this specific vulnerability. Please see the Apache site for more details.

References
https://logging.apache.org/log4j/2.x/security.html
https://nvd.nist.gov/vuln/detail/CVE-2021-45046

The Apache Log4J 2 library is used in the 2020 R2, 2021 R1, and 2021 R2 versions of Sage CRM.

Patches for Sage CRM
Sage has 3 patches in test to update Apache Log4j to 2.16

Sage CRM 2020 R2
Sage CRM 2021 R1
Sage CRM 2021 R2

Availability of the patches will be announced on Sage City.

Please watch the following Sage City links for news:

Sage City page: https://www.sagecity.com/sage-global-solutions/sage-crm/f/sage-crm-announcements-news-and-alerts
Sage City feed: https://www.sagecity.com/sage-global-solutions/sage-crm/f/sage-crm-announcements-news-and-alerts/rss
This applies for Sage CRM stand-alone and when integrated with Sage accounting products. Sage 50, Sage 100, Sage 200, Sage 1000, Sage 300, Sage X3 and Sage Intacct.

Parents
  • Regarding "Manual Mitigation" I assume that the properties file which need to be amended is "C:\Program Files (x86)\Sage\CRM\CRM\tomcat\conf\logging.properties" by simply adding in the following line log4j2.formatMsgNoLookups=true and then restarting Tomcat.  

    My preference would be not to add in an environment variable as this may adversely affect other installed instance of Tomcat which will be maintained by other software providers and may have their own strategy of dealing with this issue.

     

Comment
  • Regarding "Manual Mitigation" I assume that the properties file which need to be amended is "C:\Program Files (x86)\Sage\CRM\CRM\tomcat\conf\logging.properties" by simply adding in the following line log4j2.formatMsgNoLookups=true and then restarting Tomcat.  

    My preference would be not to add in an environment variable as this may adversely affect other installed instance of Tomcat which will be maintained by other software providers and may have their own strategy of dealing with this issue.

     

Children
No Data