A security vulnerability "Log4Shell" (CVE-2021-44228) was categorised as extremely critical on 10.12.02021 by the German Federal Office for Security (BSI) with the level red. Software components can also be affected by the Log4j vulnerability in connection with SAP Business One.
Log4j with gaps
The name Log4Shell refers to the fact that the vulnerability exists in a widely used Java code library called Log4j (Logging for Java). Attackers can exploit this vulnerability to gain the ability to execute any system code of their choice.
In other words, without the need for a login and/or password or other access barriers, hackers could use a harmless request to hijack servers. They are then tricked into logging in, downloading code that contains malware.
SAP Business One affected by Log4Shell
SAP has identified 32 applications affected by CVE-2021-44228. As of yesterday, Patch Tuesday, the software manufacturer has already patched 20 of these applications and is still working feverishly on further fixes. SAP Business One is also affected. SAP has already published write a notet (an S user is required), which mainly relates to the SAP Business One 10 version.
The following components are affected:
- workflow
- License Server
- Service Layer
- Job Service
- Extension Manager
- Integration Framework (B1i)
All-clear for MariProject regarding Log4Shell
Log4Shell is for MARIProject, one of the major extensions for SAP Business One, is not a problem according to the manufacturer. MARIProject largely dispenses with the use of Java and is therefore not affected by the Log4j gap. This applies in particular to the web client and mobile client, web service and RESTService.
Coresuite also not affected
The all-clear can also be given for Coresystems products.
The following software products are not affected:
- Coresuite and its modules
- Coresuite Service
- Coresuite Cube
- SAP B1 Cloud Connector
The following products were found to be using Log4J. Appropriate patches or recommended temporary fixes have been applied:
SAP Field Service Management
As FSM is a cloud-based solution, no action is required on the part of the customer.
CKS DIGITAL leaves Log4Shell cold
There is a global rejection of any effects from C.K. Solutions. Neither CKS.DMS, CKS.ADC, CKS.EINVOICE, CKS.WEB, CKS.SUISSQR or CKS.RUN are affected by "Log4Shell" in any way.
COBISOFT not affected by log4j zero-day vulnerability.
The solutions from COBISOFT ( COBI.time, COBI.wms, COBI.ppc, Cobi.edi, Cobi.msv) are not affected by the loophole in Log4j.
Boyum also on the outside
The Boyum support portal now also states that none of the products in the Boyum family use Log4j software and that they are therefore not affected by the security vulnerability.
UPDATE
With 11.1.2022, SAP has fixed the problem related to the Apache Log4j vulnerabilities in SAP Business One. In order to apply the solution, existing SAP Business One installations must be updated to version 10 FP2111.
With the published patch, SAP no longer recommends using the workaround described above (SAP Note/KBA 3131789).
Versino Financial Suite V09.2025 for SAP Business One
New features in SAP Business One 10.0 FP 2508
Convert SAP Business One to camt.053 now
Loan postings in SAP Business One
SAP Build Apps for SAP Business One
