SAP Knowledge Base Article - Preview

3129883 - CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 - AS Java Core Components' impact for Log4j vulnerability

Symptom

You are curious whether your SAP NetWeaver Application Server Java system is affected by ZeroDay security vulnerability in log4j library mentioned in the blog.

  • Vulnerability CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105 for log4j
  • How does this impact SAP Netweaver Application Server Java Core Components
  • The AS Java Core Software Components are documented in KBA 1794179 Importing AS Java Core patches for NetWeaver 7.1 or higher

log4j is an apache library used commonly in java applications. This particular issue was identified in log4j2 and fixed in log4j 2.17.0. See more in the document: Apache Log4j Security Vulnerabilities.


Read more...

Environment

  • SAP NetWeaver Application Server Java all versions
  • Library versions Log4j 2.x (below than 2.17.0) are affected
  • Library versions Log4j 1.x has not been checked (see Apache Log4j Security Vulnerabilities for more details), although update of the library is recommended; this version is not supported/maintained since 2015. 

Product

SAP NetWeaver Application Server for Java all versions

Keywords

Zero Day, security vulnerability, org.apache.naming.factory.BeanFactory, BeanFactory, CVE-2021-44228, Logger.class, Log4J, Log4j2, log4j2.15.0, log4j2.16.0, log4j2.17.0 , KBA , BC-JAS-COR , Enterprise Runtime, Core J2EE Framework , XX-PART-WILY , Introscope by CA Technologies , BC-XI-CON-AFW-AAE , Advanced Adapter Engine , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.