HANA XSA log4j CVE-2021-44228

jgleichmann · ‎12-14-2021

last updated: 2022-03-10 10:20 CET

Currently the security topic log4j (CVE-2021-44228 - CVSS score 10 of 10 and also others) is omnipresent. I want to show in this blog how you can check your HANA XSA systems and implement the mitigation. As well as to check if the settings are correct.

Source: GovCERT.ch

The fix which should be provided by log4j version 2.15.0 is inclomplete in certain non default configurations - so a new CVE raised: CVE-2021-45046 (initial CVSS score 3,7 - now 9,0 / 10)
This one will be fixed with log4j 2.16.0
Details: lunasec

There is a new vulnerability called CVE-2021-45105 rated with a CVSS of 7,5.
This one will be fixed with log4j 2.17.0 which is now included in the latest XSA runtime version 1.0.142.

There is another new vulnerability called CVE-2021-44832 rated with a CVSS of 6,6.
This one will be fixed with log4j 2.17.1 which is now included in the latest patch XSA runtime version 1.0.143 and XSA Cockpit 1.1.26.

Overview

CVE	effect	fixed by log4j version	CVSS score	mitigation via WA available	Release date
CVE-2021-44228	execute arbitrary code loaded from LDAP servers	2.16.0	10	X	20211126
CVE-2021-45046	remote code execution in some environments + local code execution	2.16.0	9	X	20211214
CVE-2021-45105	stack overflow / DOS - denial of service	2.17.0	7,5	X	20211216
CVE-2021-44832	remote code execution (RCE) attack	2.17.1	6,6	-	20211211

To query the CVE database for all log4j vulnerabilities use this link for searching.

Overall currently affected products by SAP can be identified by using this document. It will be updated constantly. Last update is from 2022/03/09 15:55 EST (thanks to Kuto Baran for the hint)

There is a new central note for an overview (thanks to Matthias Sander for the hint):

3131047 - [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated ...

Hint: Mark the note as favorite (star in the upper right corner) to get notified for any update on it.

To mention some popular once:

Cloud connector is not affected (Note: 3130868)

BusinessObjects is not affected (Note: 3129956) - This applies to all the SAP BI products listed in the Environment section of the above mentioned document

SAP NetWeaver Application Server Java is not impacted by the CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105. This applies to all the AS Java Core Components. Applications running on top of it using the libs can be affected! (Note: 3129883)

SAP NetWeaver Process Integration is affected (Note: 3131436/ 3130521)

BTP Cloud Foundry applications can be affected (Note: 3130476 / 3131208)

Mitigation CVE-2021-44228

Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.

Log4j 2.x mitigation: Implement one of the mitigation techniques below.

Java 8 (or later) users should upgrade to release 2.16.0.

Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).

Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.

The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.

Source: Apache

Log4jscanner

There is a commandline tool (build via Go package) for scanning and rewriting / actively remove the vulnerable class from detected JARs in-place. You can use the git repository for further details.

XS Advanced applications

3131258 - [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 compon...

As we can see from the note the following HANA systems are affected:

XSA

HANA Cockpit (which also is running as XSA application) - see also note 3131397

XSA runtime affected: Version <= 1.0.140 (currently - 2021/12/21 - there is a now a new version 1.0.141 which includes a fix 3130864 - EXTENDED APPLICATION SERVICES 1 Release Collection 1.0.141! It includes log4j version 2.16.0) [thanks to Matthias Sander and sander.meijer3 ]

Determine XSA Runtime version

Login as sidadm:

xs version

Check if you can implement the mitigation parameters with version >= 2.10

Determine log4j version

find /hana/shared/<SID>/xs/uaaserver/tomcat -name "*log4j*"

XSA Advanced Runtime	log4j version	affected by	highest CVSS rating
<1.0.140	<2.15	CVE-2021-44228, CVE-2021-45046, CVE-2021-45105	10
1.0.141	2.16.0	CVE-2021-45105	7,5
1.0.142	2.17.0	CVE-2021-44832	6,6
1.0.143	2.17.1	-	-

Download patch search:

https://launchpad.support.sap.com/#/softwarecenter/template/products/%20_APP=00200682500000001943&_E...

There is a patch for HANA Cockpit SP14 Patch 6 from RTC 2022/03/02 which includes the XS Advanced Runtime 1.0.143. (Summary SP14)

The on-premise stack contains:
LCM for Cockpit - 2.5.61
HDB - 2.00.059
SAP_EXTENDED_APP_SERVICES - 1.0.143
XSAC_HRTT - 2.14.220501
XSAC_COCKPIT- 2.14.6
XSAC_PORTAL_SERV - 2.006.1
XSAC_XSA_COCKPIT - 1.1.26

Thanks to joerg.latza for posting the details.

Determine XSA Cockpit version

xs spaces

xs login -s <SPACE>

xs lc

XSA COCKPIT version	log4j version	affected by	highest CVSS rating
<1.1.23	<2.15.0	CVE-2021-44228, CVE-2021-45046, CVE-2021-45105	10
1.1.23	2.15.0	CVE-2021-45046, CVE-2021-45105	9
1.1.24	2.16.0	CVE-2021-45105	7,5
1.1.25	2.17.0	CVE-2021-44832	6,6
1.1.26	2.17.1	-	-

Download patch search:

https://launchpad.support.sap.com/#/softwarecenter/search/XSA%2520COCKPIT%25201

Attention

From the note: On SAP HANA systems with enabled System Replication (HSR), execute step 1 on the primary and all secondary systems. Executing steps 2-4 is required on the primary system, only.

Upgade/Update issue
If you installed HANA cockpit as well, it is not recommended to upgrade XSA Cockpit separately.
Source: 3134932 - XSA Cockpit update fails with error "Selected component SAP HANA Cockpit Stack is not comp...
Credits to Matthias Sander for the hint.

Current information status is that all java version are affected. Also with deactivated class com.sun.jndi.ldap.object.trustURLCodebase .

>> It was initially reported by Lunasec that servers running on JDKs versions higher than 6u211, 7u201, 8u191 are not affected by the LDAP RCE attack vector, as the com.sun.jndi.ldap.object.trustURLCodebase is disabled by default, hence JNDI cannot load a remote codebase using LDAP. However, further analysis by the community has revealed that all JDK versions are vulnerable to this kind of attack. Alvaro Muñoz commented on Twitter the deserialization attacks are still possible with the latest JDK: "The ldap server will return a serialized object which will get deserialized. RCE depends on gadget availability in the classpath though" <<

Source: https://www.infoq.com/news/2021/12/log4j-zero-day-vulnerability/

Check the used java version:

cd /hana/shared/<SID>/xs/sapjvm_*/bin

./java -version

Implementation of the parameters

login as sidadm

cdcoc

cp -p xsuaaserver.ini xsuaaserver.ini.bkp

cat xsuaaserver.ini

#if only the section [configuration] is available (default):

echo "UAA.Jvm.AdditionalParameters = -Dlog4j2.formatMsgNoLookups=true" >> xsuaaserver.ini

cat xsuaaserver.ini

#if not, insert the line via vi

vi xsuaaserver.ini

check your XSA before you apply changes:

XSA diagnose

XSA backup-ssfs

XSA backup-fss

To find vulnerable XS advanced applications with respect to CVE-2021-44228:

xs-admin-login

xs find-artifacts -n "log4j-core*"

mitigations - note that due other CVE's than CVE-2021-44228 that an update is strongly recommended:

set workaround environment parameter LOG4J_FORMAT_MSG_NO_LOOKUPS to true

remove the JndiLookup class from the classpath

xs-admin-login

xs urevg --add LOG4J_FORMAT_MSG_NO_LOOKUPS true

cdxs

zip -q -d ./uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

zip -q -d ./uaaserver/tomcat/webapps/uaa-security-oidc/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

XSA restart

!!!This will restart your XSA services which means your applications will not be available for 15-30min!!!

check xsuaaserver.out for the correct variables / parameters:

cdtrace

grep -i log4j xsuaaserver.out

as mentioned by sathiyaraj.jagadesh2 you can also check the parameters via revg:

xs revg | grep -i log4j

Check after implementation

XSA diagnose

Check the output in the trace directory: /hana/shared/<SID>/<hostname>/trace/xsa_diagnose_results.txt

As soon as there are updates on this topic I will update the blog.

I would wish SAP could list the components and versions of each patch. Having this information would save any customer a lot of time trying to figure out the right patch levels. Currently, these details are not published in any note or document. Nowadays it should not be impossible to provide such details.

SAP Security Patch Day - December 2021

https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021

https://securitybridge.com/sap-patchday/sap-security-patch-day-december-2021/

Further sources:

https://logging.apache.org/log4j/2.x/security.html

https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

https://www.infoq.com/news/2021/12/log4j-zero-day-vulnerability/

https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025...

https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/

https://github.com/google/log4jscanner

ajankowiak · ‎12-14-2021

Thank you very much Jens!

Sathya-08 · ‎12-14-2021

Hello,

One additional information, if you want to check after restart if the environment variable is set, then use below command,

xs revg

Retrieving the contents of the running environment variable group as ***_ADMIN...

Variable Name Assigned Value
--------------------------------------------
LOG4J_FORMAT_MSG_NO_LOOKUPS true

nerevar · ‎12-14-2021

Hello,

Does this include the SAP BTP hana xs systems? if so what would be the procedure for those systems?

my version is

2.00.055.00.1615413201

I saw this note but it is really not clear to me if I have to do anything about it. I don't know where I can find what version of log4j is used...

Thanks/Regards

evelyn_curreri · ‎12-14-2021

Excellent information. Thanks for sharing!

former_member182505 · ‎12-15-2021

Good information with nice procedure

jhogenac · ‎12-15-2021

c9b9c8ea15574d29bfafe89e88ac94ec Hi Jens, just a small thing regarding the upper section of your post: SAP BusinessObjects is NOT affected (not impacted). That`s what is essentially stated in Note 3129956. BR Jens

jgleichmann · ‎12-15-2021

Hi Jens,

nice to read from you. You are fully right - copy paste issue due to the fast writing procedure.

Regards,

Jens

jgleichmann · ‎12-15-2021

Hi nerevar,

in the latest document it is described:

Appropriate patching or recommended temporary fixes were applied.

Customer Applications on BTP Neo Environment

Customer Applications on BTP Cloud Foundry Environment - Workaround

SAP HANA Service for BTP

Just have look into 3130476 - Detecting and remediating log4j CVE-2021-44228 vulnerabilities in BTP Cloud Foundry applications if it applies to you.

Regards,

Jens

Rudi_Wiesmayr · ‎12-15-2021

Does anyone know when the XSA Patch 141 will be available here:
https://launchpad.support.sap.com/#/softwarecenter/template/products/%20_APP=00200682500000001943&_E...

Kind regards, Rudi

jgleichmann · ‎12-15-2021

Hi Rudi,

nice to read from you again. I think it will take some time because log4j version 2.15.0 will also not fix all issues (see CVE-2021-45046). I think they will include a new library and test again from scratch - so this will take some more days until XSA Runtime V1.0.141 will be released.

Regards,

Jens

nerevar · ‎12-15-2021

Thanks for the links and details, I was aware of those but was still not 100% clear.

My concerns was actually more about SAP HANA XS systems hosted in BTP NEO environments.

In your latest document link there is one line saying BTP Neo is not impacted but later in the document there is this workaround note about Hana xs systems https://launchpad.support.sap.com/#/notes/3130698

This is what is confusing to me.

But If I understand right SAP Hana service for BTP covers hana xs systems also? so I should have no actions to perform on my side...

Have a nice day

Maxime

jgleichmann · ‎12-15-2021

There is no action to do on your side for BTP. The work around is affecting HANA XSA on prem edition not the BTP. For BTP cloud foundry you can double check this via note 3130476 .

nerevar · ‎12-15-2021

Okay I understand better now thanks for your time !

former_member266590 · ‎12-15-2021

Hi Jens,

What happens if you are still running on log4j v1. We have checked our XSA & it is running v1.0.71.

I checked the

find /hana/shared/UHD/<SID>/xs/uaaserver/tomcat -name "*log4j*"
/hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/log4j-1.2.17.jar
/hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/slf4j-log4j12-1.7.24.jar
/hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/classes/log4j-cf.properties
/hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/classes/log4j.properties

So don't believe workaround supplied by SAP is applicable.

Thanks,

Ajay

Sathya-08 · ‎12-16-2021

Hello Ajay,

As per SAP suggestion, log4j 1* version were outdated since August 2015 so its highly advisable to update to log4j 2.16

https://logging.apache.org/log4j/2.x/security.html

Thanks.

former_member50245 · ‎12-16-2021

Hi Jagadesh,

I am really not sure if that statement is true. SAP is actively using log4j v1* in many of their products until now.

While i understand log4j 1* is out of support but my question is more about solution being proposed by SAP.

Thanks,

Ajay

tobias_hagenpasolfora_de · ‎12-16-2021

Hello Ajay,

log4j1 is not affected by this bug.

Best Regards

Tobi

jgleichmann · ‎12-16-2021

Hi Ajay,

as mentioned by Tobi, the log4j v1 is not affected and needs no fix or workaround. But in the end you should check if the product you are using is still in support. If any software uses outdated libs from 2015 you should consider to replace this software.

Regards,

Jens

D_Olderdissen · ‎12-17-2021

Maybe the official communication from our SAP Security Team might help also. It contains a list of many SAP applications that are not affected and also some that are in mitigation. Please check the document regularly as it is get updated constantly.

Document on the My Trust Center (Support Portal) - access requires an S-User:
https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025...

jgleichmann · ‎12-17-2021

Hi Dirk,

the mentioned document is already linked and referred as source. I will add the detail that it will updated constantly as further hint.

Regards,

Jens

SM9 · ‎12-17-2021

Hi Jens,

Thanks for the informative blog.

According to 3131258 - [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA you can upgrade to 1.0.141 (available now) or when this is not immediately possible, remove the JndiLookup.class from the jar-file. This should then fix XSA as a platform, but one should still check the XSA application on top of it. The latest xsa-cockpit, release 16.12.21, SP01 Patch23 for XSA COCKPIT 1) is based on 2.15.0. Any idea when 2.16.0 will be released?

hostname:sidadm> xs lc

Getting software components in org "ORG" / space "SAP" as XSA_ADMIN...
Found software components:

software component version
---------------------------------------
XSAC_ALM_PI_UI (sap.com) 1.14.1
XSAC_HRTT (sap.com) 2.12.20461
XSAC_PORTAL_SERV (sap.com) 1.5.1
XSAC_SAP_WEB_IDE (sap.com) 4.5.2
XSAC_SERVICES (sap.com) 1.7.12
XSAC_UI5_FESV5 (sap.com) 1.60.29
XSAC_UI5_FESV6 (sap.com) 1.71.28
XSAC_XSA_COCKPIT (sap.com) 1.1.23


hostname:sidadm> xs find-artifacts -n "log4j-core*"

Finding all artifacts of droplets with name wildcard "log4j-core*"...

path: /
+ DROPLET of application "xsa-cockpit" with index 6 in space "SAP" of org "ORG" created at Dec 17, 2021 10:18:30 AM (1 RUNNING, 1 STOPPED)
path: /app/
+ APP "xsa-cockpit" in space "SAP" of org "ORG" created at Nov 20, 2018 1:51:13 PM (STARTED)
path: /app/WEB-INF/lib/log4j-core-2.15.0.jar
JAR log4j-core 2.15.0
path: /app/WEB-INF/lib/log4j-core-2.15.0.jar

Found artifacts Affected droplets
-----------------------------------
2 1

Thanks!

Sander.

jgleichmann · ‎12-17-2021

Hi Sander,

thanks for the info. log4j version 2.15.0 is included which means that still CVE-2021-45046 is valid for 1.0.141. Only log4j version 2.16.0 will fix it completely.

Regards,

Jens

SM9 · ‎12-17-2021

Not sure if XSA 1.0.141 includes 2.15.0 für the uaaserver (did not have the option yet to test the upgrade). The xsa-cockpit component however still uses it in the latest version.

former_member781616 · ‎12-17-2021

Have you checked CVE-2021-4104?

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104

https://access.redhat.com/security/cve/CVE-2021-4104

jgleichmann · ‎12-17-2021

This is correct but in context of CVE-2021-44228 it is not affected. In the end when a software wasn't patched for years there are several security vulnerabilities. So, CVE-2021-4104 is not the first and not the last one 😉

SM9 · ‎12-17-2021

Hi Jens,

Found the time to update a sandbox to 1.0.141. This includes 2.16.0.

./uaaserver/tomcat/webapps/uaa-security-oidc/WEB-INF/lib/log4j-core-2.16.0.jar

./uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/log4j-core-2.16.0.jar

So it is definitely "just" xsa-cockpit which is still based on 2.15.0.

Update: new note confirms this version 1.1.23 contains 2.5.0: 3131397 - [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit

Am eagerly waiting on a version with 2.16.0 there as well.

Cheers,

Sander.

SM9 · ‎12-18-2021

XSA Cockpit version 1.1.24 was just released which indeed hat 2.16.0.

hostname> xs find-artifacts -n "log4j-core*"



Finding all artifacts of droplets with name wildcard "log4j-core*"...



path: /

+ DROPLET of application "xsa-cockpit" with index 8 in space "SAP" of org "ORG" created at Dec 18, 2021 10:57:31 AM (1 RUNNING, 2 STOPPED)

path: /app/

+ APP "xsa-cockpit" in space "SAP" of org "ORG" created at Nov 20, 2018 1:51:13 PM (STARTED)

path: /app/WEB-INF/lib/log4j-core-2.16.0.jar

JAR log4j-core 2.16.0

path: /app/WEB-INF/lib/log4j-core-2.16.0.jar

former_member780011 · ‎12-18-2021

Hi Jens,

Do you know if the fix for HANA XS is sustainable or do we need to change it again because of the recent update on the log4j vulnerability?

Nipun

jgleichmann · ‎12-20-2021

Hi Nipun,

AFAIK the XS classic is not explicitly named as affected. The classic XS JavaScript (XSJS) is supported by a framework running in the Node.js run time. Means that no log4j java class is implemented. But to be on the save side, you have to open an OSS ticket. Be aware that XSC is deprecated since a long time and all appliciations should be migrated to XSA.

Regards,

Jens

Salocin_P · ‎12-23-2021

Hi,

thanks for this valueable Post !

I was able to find EXTAPPSER00P_142-70001316.SAR which seems to be XCA PL142.

Unfortunately there can no further information be foudn in the Marketplace if this covers log4j 2.17

Do you probably have any insights here ?

Thanks in advance !

Nicolas

bjoern_straatmann · ‎12-23-2021

Hi *,

first I would like to thank everyone and especially Jens for sharing these information's.

Just wanted to confirm that EXTAPPSER00P_142-70001316.SAR covers log4j 2.17.

xs version

Client version: xs v1.0.142

find /hana/shared/$SID/xs/uaaserver/tomcat -name "*log4j-core*"
/hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security/WEB-INF/lib/log4j-core-2.17.0.jar
/hana/shared/<SID>/xs/uaaserver/tomcat/webapps/uaa-security-oidc/WEB-INF/lib/log4j-core-2.17.0.jar

Br,
Björn

jgleichmann · ‎12-23-2021

Hi Björn,

thanks for cross checking. XSACXSACOCKPIT01_25-80002644.ZIP (1.1.25) and EXTAPPSER00P_142-70001316.SAR (1.0.142) are including the latest log4j fix 2.17.0. Currently there are no known CVE's / vulnerabilities which were not fixed by this patch. This means for everybody to patch the system to this patchlevel to avoid a security breach.

Thanks & merry X-mas

Jens

vikas_sreedharan3 · ‎01-19-2022

Any update on 2.17.1 version of log4j for SAP.

We have vulnerability 376209 - Apache Log4j Remote Code Execution (RCE) Vulnerability (CVE-

2021-44832), reported via Qualys tool.

And solution suggested is log4j be updated to version 2.17.1

In the blog, it is told 2.17.1 is not yet available.

Any plans for release of version 2.17.1?

Thanks,

Vikas

jgleichmann · ‎01-19-2022

Hi Vikas,

it is still the latest status. There is no released XSA COCKPIT or XS Advanced Runtime version for log4j 2.17.1. I don't have any release details for RTC of it.

Regards,

Jens

vikas_sreedharan3 · ‎01-20-2022

Hi Jens,

There is another Qualys Vulnerability reported in our servers w.r.t log4j

106032 EOL/Obsolete Software: Apache Log4j 1.X Detected

it is pointing to "ds/log4j-1.2.17.jar#"

Customers are advised to upgrade to Apache Log4j 2.X, for more information please refer to

https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces

Has SAP released log4j 2X versions?

https://www.google.com/search?q=site:sap.com+"Log4j 2"

Support team says that SAP has not released log4j version 2x for hana systems

Is this info correct?

Thanks,

Vikas

jgleichmann · ‎01-20-2022

Hi Vikas,

please read the blog carefully. log4j V1 is not supported anymore. In the components mentioned in this blog there are updates of log4j V2 available. This indicates the 2 in the version of log4j: 2.17.0

Which support teams says there is no version 2? What is meant by "for hana systems". A blank HANA installation doesn't include java and so there is nothing to patch. Only when it comes to XSA there is something to do. But please read the blog and its sources properly. This will anwer all your questions. If there is still something unclear please open an OSS ticket.

Regards,

Jens

Sathya-08 · ‎01-25-2022

Hello SAP Stalwarts,

XSA Cockpit version 1.1.26 released on 22nd Jan 2022 includes log4j 2.17.1 (log4j-api-2.17.1.jar & log4j-core-2.17.1.jar) version jar files. So we should be good to update this XSA Cockpit version.

We still have to wait for SAP to release XSA Version and HANA Cockpit version with log4j 2.17.1 version.

Download Zip file -XSACXSACOCKPIT01_26-80002644.ZIP

Thanks

Sathya

jgleichmann · ‎01-25-2022

Hi Sathya,

thanks for the update on this. I recently added this detail to the blog. The note which should describe it in detail is currenctly not officially available ("is being created").

Regards,

Jens

JaschaS · ‎01-26-2022

Hi Jens, with the Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.7 we found CVE-2021-4104 in Eclipse plugin com.sap.ndb.studio.modeler.cr4e.doc_2.3.62.jar (lib/log4j.jar). Is there any statement from SAP on this one? I haven't found anything relevant for this Eclipse plugin in the KB.

jgleichmann · ‎01-26-2022

Hi Jascha,

as far as in understand you have scanned a windows client and found a Eclipse plugin from the studio modeler. As you can read in the document provided by SAP ABAP in Eclipse and HANA studio are not named as impacted. As far as it affects only clients I would not rate it too high 😉

Regards,

Jens

JaschaS · ‎01-26-2022

Hi Jens,

Thanks for your answer, you're right. I also don't estimate a high risk, but our automatic scan triggers an alert. Do you know if there is any plan to upgrade the used library anytime soon? It's hard to classify all our software packages as client-only or not to make a kind of exemption-list.

jgleichmann · ‎02-16-2022

Hi Jascha,

sorry I'm not aware of the current roadmap. You have to open an OSS message to get this details from SAP.

Regards,

Jens

former_member793904 · ‎03-10-2022

Just an update for Folks

There is a new Patch available now for Hana Cockpit 2.0

HANA Cockpit 2.14.6 contains the XSA v1.0.143 and XSA Cockpit 1.1.26, and the log4j is 2.17.1

SAPHANACOCKPIT14_6-70002299.SAR

Cheers..

Shreyas