SAP Knowledge Base Article - Preview

3130967 - Mitigating Commerce Platform's Apache Log4j security vulnerabilities (CVE-2021-44228 and CVE-2021-45046) for onPrem solution


For CVE-2021-44228 and CVE-2021-45046

According to, Apache Log4j <= 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

As per the recent communication from Apache, to prevent the library being exploited it's urgently recommended that Log4j versions are upgraded ( to the latest log4j version.  

For CVE-2021-45105

Commerce is not impacted by the vulnerability with CVE-2021-45105 as the vulnerable patterns are not in use in the standard Commerce shipment.

The upgrade to log4j 2.17 has been done in latest patches of Enterprize Commerce versions 1905 and above.

However, if the customer environment contains any customized patterns it has to be investigated and potential vulnerabilities have to be disabled by the owner of the customization.



SAP Commerce on-premise solution


SAP Commerce all versions


KBA , CEC-COM-CPS-COR , SAP Commerce Core , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.