The remote code execution vulnerability CVE-2021-44228 was found in the Apache Log4j library, a part of the Apache Logging Project. If a product uses a vulnerable version of this library with the JNDI module for logging purposes. JNDI classes and methods are not used in the Sage products.
Sage was alerted (Friday 10th December 2021) to a critical remote code execution vulnerability within all Apache log4j versions 2.0-beta9 to 2.15
A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Log4j to execute arbitrary code (either as the user the server is running as, or root).
The Sage Fixed Assets Development Team has investigated this, and the Apache Log4J 2 library is NOT used in the Sage Fixed Assets applications.
There is direct integration with the following products, if you own both products and choose to use the integration:
Sage 50 US
CCH ProSystem fx Tax
Abila MIP Fund Accounting
If you have a Sage Fixed Asset solution integrated with any of the Sage Solutions listed above please check with the product specific support site for further potential vulnerabilities related to Apache Log4j 2.
Finally, The SAP team, Crystal Reports, has confirmed no impact on any of their BI components, including Crystal Reports.
SageCity Post: Advisory: Apache log4j vulnerability (CVE-2021-44228)