Sage was alerted (Friday 10th December 2021) to a critical remote code execution vulnerability within all Apache log4j versions 2.0-beta9 to 2.14.1
References
A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Log4j to execute arbitrary code (either as the user the server is running as, or root). These are the sorts of vulnerabilities that could be exploited automatically by worms.
The Apache Log4J 2 library is used in the 2020 R2, 2021 R1, and 2021 R2 versions of Sage CRM.
The Sage CRM Development Team has investigated this as a critical issue.
Manual Mitigation
Apache has advised that:
"This behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class."
Patches for Sage CRM
Sage has 3 patches in test for
- Sage CRM 2020 R2
- Sage CRM 2021 R1
- Sage CRM 2021 R2
Availability of the patches will be announced on Sage City.
Please watch the following Sage City links for news:
This applies for Sage CRM stand alone and when integrated with Sage accounting products. Sage 50, Sage 100, Sage 200, Sage 1000, Sage 300, Sage X3 and Sage Intacct.