Symptom
For CVE-2021-44228 and CVE-2021-45046
According to https://nvd.nist.gov/vuln/detail/CVE-2021-44228, Apache Log4j <= 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
As per the recent communication from Apache, to prevent the library being exploited it's urgently recommended that Log4j versions are upgraded (https://logging.apache.org/log4j/2.x/security.html) to the latest log4j version.
For CVE-2021-45105
Commerce is not impacted by the vulnerability with CVE-2021-45105 as the vulnerable patterns are not in use in the standard Commerce shipment.
The upgrade to log4j 2.17 has been done in latest patches of Enterprize Commerce versions 1905 and above.
However, if the customer environment contains any customized patterns it has to be investigated and potential vulnerabilities have to be disabled by the owner of the customization.
Read more...
Environment
SAP Commerce on-premise solution
Product
Keywords
KBA , CEC-SCC-PLA-PL , Platform , CEC-SCC-COM-SRC-SER , Search and Navigation , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.