Update: January 14, 2022
SAP has marked this issue as resolved with the release of SAP Business One 10.0 FP2111. Upgrading to this version is not required, but is an option. Please contact email@example.com if you want to discuss an upgrade.
The latest version of the workaround will also address the issue: Mitigate Log4j CVE-2021-442288 Vulnerability in SAP Business One (version 7).
Note that all affected versions are mentioned in the above instructions. If your version is not mentioned, it is not affected and no action is required.
Update: December 28, 2021
For companies that run the SAP Business One Integration Framework (B1 10.0 FP2105, and B1 10.0 FP2108), please see updated instructions from SAP: Mitigate Log4j CVE-2021-44228 Vulnerability in SAP Business One (version 6).
Update: December 23, 2021
For companies that run version 9.3 where the Workflow component is installed, please see updated instructions: Mitigate Log4j CVE-2021-44228 Vulnerability in SAP Business One (version 5).
Update: December 17, 2021
SAP has provided an updated set of instructions to resolve this issue: Mitigate Log4j CVE-2021-44228 Vulnerability in SAP Business One (version 3).
For on-premise customers, please implement these changes and see below for additional steps you can take to protect your system.
Update: December 16, 2021
SAP has confirmed that the Log4j2 vulnerability affects the SAP Business One application and has provided a resolution for versions 9.3 patch level 07 and higher. The table below includes details of the resolutions currently available. If you're not sure what version and patch level you're running, you can find instructions here.
We're waiting on a response from SAP on versions prior to 9.3 PL07 and will share updates in this article as we learn more.
|9.3 PL07||10.0 FP2008||10.0 FP2102||10.0 FP2105||10.0 FP2108|
|Workflow||SQL / HANA||SQL / HANA||SQL / HANA||SQL / HANA||SQL / HANA|
|License Server||SQL / HANA||SQL / HANA||SQL / HANA||SQL / HANA|
|Service Layer||SQL / HANA||SQL / HANA||SQL / HANA||SQL / HANA|
|Component Job Service||SQL / HANA||SQL / HANA||SQL / HANA|
|Extension Manager(SLD)||SQL / HANA||SQL / HANA||SQL / HANA||SQL / HANA|
|Integration Framework||Fix available||Fix available|
If your SAP Business One system is hosted with ProjectLine:
ProjectLine will apply the fix to your system over the next couple days.
Be assured that industry best practices and the latest in cyber protection technologies are being used to protect your systems. In addition to our multi-layer backup and recovery infrastructure and proactive system management procedures, we’ve implemented a solution from CrowdStrike, the leader in next generation endpoint protection, to stop breaches, ransomware and cyber attacks. All systems managed by our service are actively monitored and protected by this state-of-the-art technology.
How to apply the fix to on-premise systems:
You and your IT provider should follow the steps outlined in this document: Mitigate Log4j CVE-2021-44228 Vulnerability in SAP Business One (version 3).
If you require assistance from ProjectLine, please contact firstname.lastname@example.org. We'll get you in the queue as quickly as possible.
Other steps to protect your on-premise systems:
In addition to the above resolution for SAP Business One, we recommend you and your IT specialists implement the following to ensure that all of your on-premise systems are as resilient as possible:
- Backups – Confirm that all system backups are operating correctly and that recovery plans are tested on a regular basis. Data used for system recovery should be stored in a secure off-site location.
- Updates – Ensure that the latest security patches and system updates are installed.
- Endpoint Protection – Install and maintain virus and malware protection software.
- Minimize Attack Surfaces –Confirm that firewall and other network configurations minimize external access (e.g., open ports and external IP addresses) to ensure your systems aren’t unnecessarily exposed to the internet.
December 14, 2021
Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers. Recently a critical security vulnerability has been identified that impacts the Log4j2 framework (www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations).
The Apache web service is used by the SAP Business One application; however, it's uncertain at this time if the Log4j2 utility is part of this web service. We're currently waiting on a response from SAP with guidance on this matter.
We'll update this article as we find out more information.