x Want to participate? Join the group to interact
  • Locked Locked
  • Replies 2 replies
  • Subscribers 378 subscribers
  • Views 5358 views
  • Users 0 members are here
Browse Forums
Announcements
268
topics
260
replies
Databases and Operating Systems
755
topics
2k
replies
Financials Suite
1k
topics
3k
replies
General Discussion
2k
topics
10k
replies
Operational Suite
849
topics
2k
replies
Reporting and Analytics
1k
topics
3k
replies
Reports, Macros, and Customizations
876
topics
3k
replies
Sage CRM for Sage 300
182
topics
407
replies
Announcement!
This is a notification for product news or an alert. If you have a question, please start a new discussion
KathleenF

Resolved : Apache log4j vulnerability (CVE-2021-44228)

Posted By

Sage was alerted (Friday 10th December 2021) to a critical remote code execution vulnerability within all Apache log4j versions 2.0-beta9 to 2.15

References

https://logging.apache.org/log4j/2.x/security.html

https://www.ncsc.gov.uk/news/apache-log4j-vulnerability

A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Log4j to execute arbitrary code (either as the user the server is running as, or root). These are the sorts of vulnerabilities that could be exploited automatically by worms.

The Sage 300 Development Team has investigated this, and the Apache Log4J 2 library is NOT used in the 2022, 2021, and 2020 versions of Sage 300.

While Sage 300 does use the Log4J 1 library (version 1.2.17) for our Global Search feature (used by SOLR 7.2.1), the Log4J 1 library is not affected by this vulnerability.  We are upgrading the log4j component in our next product update (April) for all supported versions.

For customers using Sage 300 with Sage CRM, Sage CRM have produced patches which are currently being tested and we will advise results and availability as soon as possible. Additionally, customers using Sage Intelligence and Sage Intelligence Reporting Cloud, bundled reporting components of Sage 300 have also been investigated and cleared at this time.

Finally, The SAP team, Crystal Reports, has confirmed no impact on any of their BI components and that includes Crystal Reports The team at Aatrix, has reviewed their payroll efiling solution, and they have assured us that they have no impact as well. 

References

https://access.redhat.com/security/cve/cve-2021-44228

https://solr.apache.org/news.html

https://launchpad.support.sap.com/#/notes/3129956 

Please watch the following Sage City links for news:

Sage City page: https://www.sagecity.com/us/sage300_erp/f/sage-300-announcements

Parents Reply Children
No Data

*Community Hub is the new name for Sage City