Skip to content
logo Knowledgebase

Log4J Vulnerability notification CVE-2021-44228

Created on  | Last modified on 

Summary

CVE-2021-44228

Cause

The remote code execution vulnerability CVE-2021-44228 was found in the Apache Log4j library, a part of the Apache Logging Project. If a product uses a vulnerable version of this library with the JNDI module for logging purposes. JNDI classes and methods are not used in the Sage products.

Resolution

CAUTION: Sage Customer Support does not assist with issues related to third-party products or enhancements, hardware, report customizations, state or federal tax-related questions, or specific accounting questions. Please get in touch with your Sage business partner, network administrator, or accountant for assistance. Please refer to our Scope of Support document for details.

Sage was alerted (Friday 10th December 2021) to a critical remote code execution vulnerability within all Apache log4j versions 2.0-beta9 to 2.15

References
https://logging.apache.org/log4j/2.x/security.html

https://www.ncsc.gov.uk/news/apache-log4j-vulnerability

A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Log4j to execute arbitrary code (either as the user the server is running as, or root).

The Sage Fixed Assets Development Team has investigated this, and the Apache Log4J 2 library is NOT used in the Sage Fixed Assets applications.

There is direct integration with the following products, if you own both products and choose to use the integration:

Sage 50 US
Sage 100
Sage 300
Sage 500
Sage Intacct
CCH ProSystem fx Tax
Abila MIP Fund Accounting

If you have a Sage Fixed Asset solution integrated with any of the Sage Solutions listed above please check with the product specific support site for further potential vulnerabilities related to Apache Log4j 2.

Finally, The SAP team, Crystal Reports, has confirmed no impact on any of their BI components, including Crystal Reports.

Reference

SageCity Post: Advisory: Apache log4j vulnerability (CVE-2021-44228)


Chat with support