SAP Patches Log4j in its Apps

SAP identified a total of 32 applications affected by CVE-2021-44228, a critical vulnerability in the Apache Log4j Java-based logging tool, and has already shipped patches for 20 of them, while scrambling to fix the remaining 12 as soon as possible.

In a report containing information on the affected software and the status of patching, SAP is also providing recommended workarounds for some of the applications that have yet to receive patches.

SAP also announced the availability of fixes for tens of other severe vulnerabilities in its products, as part of its monthly Security Patch Day.

Advertisements

The company published 10 new security notes and five updated notes on its December 2021 Security Patch Day, to which six other notes released between the second Tuesday of November and the second Tuesday of December should be added, enterprise application security firm Onapsis says.

Two of this month’s new security notes were rated ‘hot news’, the highest severity rating in SAP’s playbook, both carrying a CVSS rating of 9.9 (out of 10).

The first of them addresses 11 code execution vulnerabilities in SAP Commerce the localization for China package which are related to the application’s use of the open source library XStream. The update also addresses denial of service (DoS) and server-side request forgery (SSRF) bugs.

The second new hot news security note fixes a code injection bug in ABAP Server & ABAP Platform by deactivating the vulnerable code. The bug doesn’t have the highest possible severity rating because an attacker needs at least few privileges to exploit it.

SAP also announced an update for two other hot news security notes, one delivering updates for the Chromium browser in Business Client, and another addressing an SQL injection in NZDT Mapping Table Framework.