I'm not sure but someone just mentioned that Crystal Reports employs the Apache Log4J application (https://answers.sap.com/questions/13545419/log4j-security-vulnerability-with-sap-crystal-repo.html).

Actually just noticed on this SAP forum thread (same one above), specifically the post near the bottom by Don (SAP employee), this does not impact Crystal Reports – i.e. “We've discussed this over the weekend and it does not impact CR or CR for VS or BOE runtime at all.  Yes our version is out of date and we are working on updating it but there is no impact to .NET runtime since it's not used.  So you can ignore the the warning.”

Thanks.

New post in the SAP thread above:  

Here is the official answer from SAP (updated 13/12/2021 Ver. 3)

• SAP BusinessObjects BI Platform is not impacted by the CVE-2021-44228
• The impacted component is the main JNDI package. JNDI classes and methods are not used in the SAP BusinessObjects BI Platform.
• Further security / mitigation against Remote Code Execution is available at the Java level in 8u121 and 8u191, therefore we recommend customers to be on a version of SAP BusinessObjects BI Platform that packages at least a version > 8u121. Therefore we recommend the minimum version that should be applied is 4.2 SP05. For more information about the versions of SAPJVM (and which Oracle JVM version they are based on) supplied per BI version, see:
  2914488 - List of Bundled SAP JVM versions shipped with selected Patches of SAP BusinessObjects Business Intelligence Platform 4.x

see KBA 3129956 - CVE-2021-44228 - BusinessObjects impact for Log4j vulnerability

We're getting the same questions from customer IT, as news of Log4j spreads. 

Can Sage prepare a KB article we can share about how Sage 100 is (or hopefully isn't) affected by this vulnerability?

Here's the only items I located in the KB:

Agree 100% with Kevin. It would be good at this point to have a KB specific for Sage 100.

Here is an email I received last Saturday (12/11) from ECI (which now owns KnowledgeSync), titled "Important Security Notification"

What Happened:

On December 9, 2021 a security vulnerability in an open source library called Log4J was made public. This library is in wide use within the global software community and is used to log events in the normal use of software, most often in Java- based applications.

If exploited, this vulnerability allows remote code execution on vulnerable servers, giving an attacker the ability to import malware that allows them to take control of targeted systems.

This vulnerability is not unique to ECI’s software and could be present in other software that you use in your business as well. We encourage your internal team to examine the impact of this security issue on other vendor software you may be using.

ECI’s Response:  

Our Security, Cloud Operations, and Product Development teams have worked diligently over the last 24 hours to assess and mitigate our use of Log4j. We have found very few instances of our direct use of Log4j and have remediated these vulnerable versions within our Cloud Offerings.

We continue to monitor the situation and will keep you apprised of any important updates.

How Does this Affect You:

You do not need to take any action at this time.  In most cases, our customers’ use of ECI software products is unlikely to be materially affected by this vulnerability. For ECI customers using our cloud offering, our security team has already identified and applied fixes.

There is no need to contact our support organization. If you are directly affected, we will proactively contact you with further information.​

ECI takes the security of our customers’ software very seriously. We are partners in your success and will continue to communicate any new information as it develops.
 

Thank you,
ECI Support

KB article re: Sage 100: 

Thanks zip - apparently I am no longer an "S-User" SAP person, only a "P-User". Not sure when and how that happened but would it be informative to get a PDF copy of that KBA?

Sorry, I don't have access to it either.

I had a brief stint with an SAP Business One reseller, and at that point I was pretty sure I had S-User credentials to the SAP site(s). Maybe jcnichols has the ability to get onto that site. Amazing how protective they are of it, or maybe I'm just missing something.