SAP Knowledge Base Article - Preview

3130939 - Mitigating Commerce Platform's Apache Log4j security vulnerabilities (CVE-2021-44228 and CVE-2021-45046) on SAP Commerce Cloud in Public Cloud

Symptom

For CVE-2021-44228 and CVE-2021-45046

According to https://nvd.nist.gov/vuln/detail/CVE-2021-44228, Apache Log4j <= 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

As per the recent communications from Apache, to prevent the library being exploited it's urgently recommended that Log4j versions are upgraded (https://logging.apache.org/log4j/2.x/security.html) to the latest log4j version.  

For CVE-2021-45105

Commerce is not impacted by the vulnerability with CVE-2021-45105 as the vulnerable patterns are not in use in the standard Commerce shipment.

The upgrade to log4j 2.17 will be provided with the next official Commerce patch release.

However, if the customer environment contains any customized patterns it has to be investigated and potential vulnerabilities have to be disabled by the owner of the customization.


Read more...

Environment

SAP Commerce Cloud in Public Cloud

Product

SAP Commerce Cloud all versions

Keywords

KBA , CEC-HCS-CCAZ-OPS , OPS component for General environment management , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.