What is Log4j
Log4j is a chunk of code that helps software applications keep track of their past activities. Instead of reinventing a “logging” — or record-keeping — component each time developers build new software, they often use existing code like log4j instead. It’s free on the Internet and very widely used, appearing in a “big chunk” of Internet services
Each time log4j is asked to log something new, it tries to make sense of that new entry and add it to the record. A few weeks ago, the cybersecurity community realized that by simply asking the program to log a line of malicious code, it would execute that code in the process, effectively letting bad actors grab control of servers that are running log4j.
How does this impact SAP Business One
Different components in SAP Business One and SAP Business One version for SAP HANA (version >= 9.3 PL07 and <=10.0 FP 2108) are using Log4j 2.x, so if you are not aware of this bug you’d better check your vendor support.
How to fix the security vulnerability in SAP Business One
SAP Business One fixed the issue. Customers need to implement or upgrade to SAP Business One FP2111, or there is some workaround published by SAP note KBA 3131789
What SAP Business One components are affected
There are lots of components are at risk, including:
- License Server
- Service Layer
- Job Service
- Extension Manager
- Integration Framework
Each component is at risk for some specific patches, for details please check your support or contact us.