Summary
Cause
The remote code execution vulnerability CVE-2021-44228 was found in the Apache Log4j library, a part of the Apache Logging Project. If a product uses a vulnerable version of this library with the JNDI module for logging purposes. JNDI classes and methods are not used in the Sage products.
Resolution
CAUTION: Sage support can't assist with third-party products, hardware, report customizations, or state and federal tax questions. Refer to our Scope of Support for more info. Contact your Sage business partner, network administrator, or accountant for assistance.Sage was alerted (Friday 10th December 2021) to a critical remote code execution vulnerability within all Apache log4j versions 2.0-beta9 to 2.15
References
https://logging.apache.org/log4j/2.x/security.html
https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Log4j to execute arbitrary code (either as the user the server is running as, or root).
The Sage Fixed Assets Development Team has investigated this, and the Apache Log4J 2 library is NOT used in the Sage Fixed Assets applications.
There is direct integration with the following products, if you own both products and choose to use the integration:
Sage 50 US
Sage 100
Sage 300
Sage 500
Sage Intacct
CCH ProSystem fx Tax
Abila MIP Fund Accounting
If you have a Sage Fixed Asset solution integrated with any of the Sage Solutions listed above please check with the product specific support site for further potential vulnerabilities related to Apache Log4j 2.
Finally, The SAP team, Crystal Reports, has confirmed no impact on any of their BI components, including Crystal Reports.
Reference
SageCity Post: Advisory: Apache log4j vulnerability (CVE-2021-44228)
Africa
Asia
Australia
Canada
France
Ireland
Kenya
Nigeria
Portugal
South Africa
Spain
United Arab Emirates
United Kingdom
Germany