Log4j and Sage 100 vulnerability?

Last week a proof of concept for a vulnerability around Log4j was distributed on the Internet.  New zero-day exploit for Log4j Java library is an enterprise nightmare (bleepingcomputer.com) 

Almost immediately bad actors started trying to exploit the vulnerability.  Hackers start pushing malware in worldwide Log4Shell attacks (bleepingcomputer.com) 

Is the Sage 100 server vulnerable to the Log4j vulnerability?  What impact would this have on Sage 100?

  • I'm not sure but someone just mentioned that Crystal Reports employs the Apache Log4J application (https://answers.sap.com/questions/13545419/log4j-security-vulnerability-with-sap-crystal-repo.html).

  • Actually just noticed on this SAP forum thread (same one above), specifically the post near the bottom by Don (SAP employee), this does not impact Crystal Reports – i.e. “We've discussed this over the weekend and it does not impact CR or CR for VS or BOE runtime at all.  Yes our version is out of date and we are working on updating it but there is no impact to .NET runtime since it's not used.  So you can ignore the the warning.”



  • New post in the SAP thread above:  

    Here is the official answer from SAP (updated 13/12/2021 Ver. 3)

    • SAP BusinessObjects BI Platform is not impacted by the CVE-2021-44228
    • The impacted component is the main JNDI package. JNDI classes and methods are not used in the SAP BusinessObjects BI Platform.
    • Further security / mitigation against Remote Code Execution is available at the Java level in 8u121 and 8u191, therefore we recommend customers to be on a version of SAP BusinessObjects BI Platform that packages at least a version > 8u121. Therefore we recommend the minimum version that should be applied is 4.2 SP05. For more information about the versions of SAPJVM (and which Oracle JVM version they are based on) supplied per BI version, see:
      2914488 - List of Bundled SAP JVM versions shipped with selected Patches of SAP BusinessObjects Business Intelligence Platform 4.x

    see KBA 3129956 - CVE-2021-44228 - BusinessObjects impact for Log4j vulnerability

  • We're getting the same questions from customer IT, as news of Log4j spreads. 

    Can Sage prepare a KB article we can share about how Sage 100 is (or hopefully isn't) affected by this vulnerability?

  • Here's the only items I located in the KB: