For CVE-2021-44228 and CVE-2021-45046
According to https://nvd.nist.gov/vuln/detail/CVE-2021-44228, Apache Log4j <= 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
As per the recent communication from Apache, to prevent the library being exploited it's urgently recommended that Log4j versions are upgraded (https://logging.apache.org/log4j/2.x/security.html) to the latest log4j version.
Commerce is not impacted by the vulnerability with CVE-2021-45105 as the vulnerable patterns are not in use in the standard Commerce shipment.
The upgrade to log4j 2.17 will be provided with the next official Commerce patch release.
However, if the customer environment contains any customized patterns it has to be investigated and potential vulnerabilities have to be disabled by the owner of the customization.
SAP Commerce on-premise solution
KBA , CEC-COM-CPS-COR , SAP Commerce Core , Problem
About this pageThis is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).
Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.