Patch in Preview today and Production Tomorrow

ward_scott · ‎12-17-2021

I assume everyone received this notice, sent to me at 1:15 AM this morning? No details on what changed, just this:

This emergency patch is necessary to provide you with the most up-to-date security fixes available for your environments. This additional patch does not include any new functional changes, only fixes to already identified issues. New IQ reports will be generated as a part of this change.

I understand security is important, but I may not even get approval on a validation plan by the end of the day. How is everyone else handling this?

bentrundley · ‎12-17-2021

We were thinking the same thing, Ward. With there being no form of detail or release notes, we weren't sure if it was an accidental email. Very keen to understand what others are doing

Ryan_Williams · ‎12-17-2021

My understanding is this is for the log4j-core issue. I've not seen confirmation from SAP but that is coming from our CSM.

Obuone · ‎12-17-2021

I confirm this is also the information we received: that the patch would be about the log4j issue.

Param_SFSF · ‎12-17-2021

Based on our understanding of previous patches that were related to Security, details are not shared due to security reasons and they are applied as emergency patch.

Sany-Said · ‎12-17-2021

Thank you Param, that is correct. This patch is to apply an immediate security fix and is not associated with functional behavior changes in the application. Details of security patches that do not affect functional behavior are not shared for further protection of your environment.

Dhruv · ‎12-22-2021

@Sany - I wish timing it was done a week before given the holidays. I also understand the nature of the threat but we have had security patches applied for the log4j issue weeks back.

@Ward - We have a provision in our change management process for emergency changes, I am almost certain this will qualify for one. Worst-come we will have to given the nature of the risk/solutions timing.

Hope Santa has no more surprises this holidays ;-).

Have a great and safe holidays you all.

- Dhruv

megbear · ‎12-22-2021

We agree and can only apologize again for the inconvenience.

ward_scott · ‎12-17-2021

Thank you Param and Sany for the explanation and confirmation.

I am now thinking that I should write a procedure or policy regarding security/non-functional patches. If my QA and IT groups would allow it, I would like to just ignore them altogether, but I suspect I will be validating after the implementation. Again, I wonder what everyone else is doing?

MaryKatherineJ · ‎12-18-2021

Our IT QA team is completing a Change Assessment Form that explains that this is an emergency security patch (using the wording provided by SAP) and will likely reference the email communication we received on Dec 13 titled "SAP's Response to CVE202144228 Apache Log4j 2". Of course, SAP is not going to expressly state that this emergency patch is in response to that security vulnerability, but I think an inference can logically be made. I do not think our QA team will require any formal validation since there are no functional changes being applied.

MarcusKnappe · ‎12-22-2021

This morgen we receive a new Announcement for B2105.28.3 only for Sandbox.

What's about that. Does this also be deployed on stage & prod? When?

megbear · ‎12-22-2021

Was just able to finalize the times, you should have them now. Given the holiday we were trying to make the best decision on timing.

megbear · ‎12-22-2021

Hello everyone - I am looking to see how we can give more clarify on release notes when we do emergency patching. We are going to have another one this week so would be good for you each to get clarity on protocol for non-functional emergency security patching. Please feel free to hit me up at meg.bear@sap.com if you need help -- want to make sure we don't ruin anyone's holiday.

Maria_Consiglia · ‎12-22-2021

Thanks Meg,

We would need a brief explanation of why this patch is being released with a statement from SAP that it has no impact on functionality.

Regards

megbear · ‎12-22-2021

I confirmed personally that the email is clear that the patch has no functional changes.

megbear · ‎12-22-2021

Hello everyone - me again - I just confirmed that email is going out for preview and production on B2105.28.3 -- we WILL be patching over the holiday. The email will have the specific information for your environment

Timings will be between the following ranges:
- Preview - Thursday, 23rd Dec 3pm UTC until 24th Dec 11am UTC

- Production - Friday, 24th Dec 3pm UTC until 25th Dec 11am UTC.

We apologize that this is happening over the holiday. For any security information please review our trust center https://www.sap.com/uk/about/trust-center/security.html

Again, please let me know if there is anything else I can do to help minimize the inconvenience for your teams, our shared goal is to make sure that we keep our promise to your end users.

bentrundley · ‎12-23-2021

Hi Meg, is this further patching against the log4j issue?

Thanks,

Ben

megbear · ‎12-23-2021

yes correct.

MJurkoic · ‎12-23-2021

Hello,

Am I correct in assuming that Production and Production Support will be updated at the following time?

Production Maintenance Window:

Start Date: December 25, 2021 Start Time: 04:00 Hrs. (UTC)
End Date: December 25, 2021 End Time: 11:00 Hrs. (UTC)

Thank you.
Matt

Sany-Said · ‎12-23-2021

Yes Matt. That’s correct. Production Support / Pre-Prod is always on the same version as Production environments.