SAP Addresses Log4Shell Vulnerability Patching in 20 Applications
Well over three billion devices run on Java worldwide. However, logging libraries are few, which is why many of the devices are most likely to run the popular logging framework, Log4j. Currently, security experts and huge businesses worldwide are on the lookout for a vulnerability known as Log4Shell in the Log4j, Java software component.
Cyber security vulnerability is amongst the most serious flaws discovered in a long time, and it has the potential to harm countless websites. Log4Shell can allow hackers to execute the malware on a device or a network of servers.
Unfortunately, the range of the most appropriate delivery mechanisms and the diversity of applications that the vulnerability can exploit make it almost impossible to depend on firewall protection alone.
Prominent IT companies confirm the rise of the malicious attacks resulting from the vulnerability. According to multiple sources, cybercriminals are now testing exploits for this flaw, which provides them elevated privileges to access and take control of apps and other affected systems.
One of the companies making headlines in their fight against the Log4Shell vulnerability includes the giant German software creator SAP.
In response to the Log4Shell vulnerability in its apps, German software manufacturer SAP is hurrying to remedy the problem. It has already released patches for dozens of other critical weaknesses in its applications.
With the discovery of CVE-2021-44228, a severe vulnerability in the Apache Log4j Java-based logging tool, SAP has patched 20 of the 32 impacted applications. It is working to repair the other 12 as quickly and efficiently as possible.
SAP gives proposed solutions for some of the programs that have not yet received fixes in a report that includes details on the impacted applications and the patching progress.
Additionally, SAP released solutions for dozens of other security flaws in its systems as part of its periodic Security Patch Day initiative.
According to a report by the company’s corporate network security firm Onapsis, the corporation, on its December 2021 Security Patch Day, issued ten additional security points and five modified protection considerations. The addition included six notes produced between November and December’s second Tuesdays.
Furthermore, the company also reported that two of the month’s security notes carried the highest severity ever witnessed before in their SAP’s playbook. Rates as hot news, the security notes had a CVSS rating of 9.9/10.
The first security note articulates the 11 executable code flaws in SAP commerce (China package localization). The vulnerabilities are associated with the applications’ use of open source XStream. In addition, the release further tackles vulnerabilities related to denial of service (DoS) and server-side request forgery (SSRF).
The second security note addresses the deactivation of the vulnerable code by fixing a code injection bug in ABAP Server and Platform. The good news about this is that the severity rating is not as high as the others because a hacker will need several privileges to exploit it.
As part of the announcement, SAP also provided updates for two other recent security notices, one of which provided patches for the Chromium browser in Business Client and another which addressed SQL injection vulnerability in the NZDT Mapping Table Framework.
SAP did not stop there but released additional six security notes on the security patch day. The security notes articulated in five applications addressed the most severe security vulnerabilities. They included
- Code injection in NetWeaver AS ABAP
- Cross-site scripting (XSS) in Knowledge Warehouse
- Directory traversal in SAF-T Framework
- DoS in Success Factors Mobile Application for Android devices
- SQL injection and DoS in Commerce
Out of the five security notes, SQL injection and DoS in Commerce, Cross-site scripting (XSS) in Knowledge Warehouse, Code injection in NetWeaver AS ABAP, DoS in Success Factors Mobile Application for Android devices are associated with moderately severe vulnerabilities. At the same time, Directory traversal in SAF-T Framework relates to much lower severity vulnerability.
According to professionals, it is essential to be conscious of the vulnerability’s potential long-term consequences. However, the first goal is to take immediate action to limit the tail of the vulnerability exploitation by hackers.