Alert: is your SAP Business One at risk of Log4j CVE-2021-44228 Vulnerability

Is your SAP Business One at risk of Log4j CVE-2021-44228 Vulnerability

What is Log4j

Log4j is a chunk of code that helps software applications keep track of their past activities. Instead of reinventing a “logging” — or record-keeping — component each time developers build new software, they often use existing code like log4j instead. It’s free on the Internet and very widely used, appearing in a “big chunk” of Internet services

Each time log4j is asked to log something new, it tries to make sense of that new entry and add it to the record. A few weeks ago, the cybersecurity community realized that by simply asking the program to log a line of malicious code, it would execute that code in the process, effectively letting bad actors grab control of servers that are running log4j.

How does this impact SAP Business One

Different components in SAP Business One and SAP Business One version for SAP HANA (version >= 9.3 PL07 and <=10.0 FP 2108) are using Log4j 2.x, so if you are not aware of this bug you’d better check your vendor support.

How to fix the security vulnerability in SAP Business One

SAP Business One fixed the issue. Customers need to implement or upgrade to SAP Business One FP2111, or there is some workaround published by SAP note KBA 3131789

What SAP Business One components are affected

There are lots of components are at risk, including:

  • Workflow
  • License Server
  • Service Layer
  • Job Service
  • Extension Manager
  • Integration Framework

Each component is at risk for some specific patches, for details please check your support or contact us.