x Want to participate? Join the group to interact
Options
  • Locked Locked
  • Replies 1 reply
  • Subscribers 390 subscribers
  • Views 1933 views
  • Users 0 members are here
Browse Forums
Announcements
292
topics
370
replies
Business Object Interface
1k
topics
7k
replies
Core Financial Modules
2k
topics
8k
replies
Customization and Productivity
3k
topics
12k
replies
Distribution, Manufacturing, and Applications
2k
topics
7k
replies
General Discussion
1k
topics
3k
replies
Partner Cloud
43
topics
90
replies
Payroll, Time Tracking, and Job Cost
775
topics
1k
replies
Reporting and Analytics
960
topics
3k
replies
Sage CRM for Sage 100
164
topics
357
replies
Technical and Installation
2k
topics
9k
replies
Year-end Forum
89
topics
237
replies
Announcement!
This is a notification for product news or an alert. If you have a question, please start a new discussion
KathleenF

Advisory: Apache log4j vulnerability (CVE-2021-44228)

Posted By

Sage was alerted (Friday 10th December 2021) to a critical remote code execution vulnerability within all Apache log4j versions 2.0-beta9 to 2.15

References

https://logging.apache.org/log4j/2.x/security.html

https://www.ncsc.gov.uk/news/apache-log4j-vulnerability 

A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Log4j to execute arbitrary code (either as the user the server is running as, or root). These are the sorts of vulnerabilities that could be exploited automatically by worms.

The Sage 100 Development Team has investigated this, and the Apache Log4J 2 library is NOT used in the supported 2021, 2020, and 2019 versions of Sage 100. The Sage 100 SPC portal and landing page also do not use the Apache Log4J library and are not impacted. 

For customers using Sage 100 with Sage CRM, Sage CRM have produced patches which are currently being tested and we will advise on availability as soon as possible. The Quick Entry Sales Order integration feature does use the Log4J 1 library but the Log4J 1 library is not affected by this vulnerability.  Additionally, customers using Sage Intelligence reporting components of Sage 100 have also been investigated and cleared at this time. Sage Fixed Assets and Sage HRMS have also been cleared.

Finally, The SAP team has confirmed there is no impact on Crystal Reports, and Aatrix, which we use for payroll e-filing, has published this statement that they are also not impacted (aatrix.com/log4j)

It is important to note that while Sage has confirmed as many of our integrated applications and services as possible, applications and services provided by independent software vendors may still have vulnerabilities.  Customers should work with their reseller to ensure that their systems are secure.

References

https://access.redhat.com/security/cve/cve-2021-44228

https://solr.apache.org/news.html

https://launchpad.support.sap.com/#/notes/3129956 

Please watch the following Sage City links for news: https://www.sagecity.com/us/sage100_erp/f/sage-100-announcements-news-tips

Parents Reply Children
No Data

*Community Hub is the new name for Sage City