SAP Knowledge Base Article - Public

3131199 - CVE-2021-44228 - CR4Eclipse / CR4VS impact for Log4j vulnerability

Symptom

  • Vulnerability CVE-2021-44228 for log4j
  • How does this impact Crystal Reports for Visual Studio (CR4VS) / Crystal Reports for Eclipse (CR4Eclipse)

log4j is an apache library used commonly in java applications.  This particular issue was identified in log4j2 and fixed in log4j 2.15.0.

Environment

  • Crystal Reports for Visual Studio (CR4VS) 
  • Crystal Reports for Eclipse (CR4Eclipse)

Resolution

  • Crystal Reports for Visual Studio (CR4VS) is not impacted by the CVE-2021-44228.

  • CR4Eclipse SP26 and earlier are not impacted.
    CR4Eclipse SP27 is using log4j 2.14 thus is impacted, an upgrade to log4j 2.17 is included SP28 (which has been released on December 22 2021)
    CR4Eclipse SP27 users could also avoid the risk, by setting a system property ‘log4j2.formatMsgNoLookups’ to ‘true’ (as described on NVD - CVE-2021-44228 (nist.gov).)

See Also

https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf

KBA 3129956 - CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105 - BusinessObjects impact for Log4j vulnerability

Keywords

CVE-2021-44228, log4j,vulnerability, JNDI , KBA , BI-RA-CR-SDK , SDK related, including Java/.NET etc. , Problem

Product

Crystal Reports, version for Eclipse 2.0 ; SAP Crystal Reports, developer version for Microsoft Visual Studio