More Than SAP

I know it is being a while since I posted the last time. So far it has been an incredibly busy year and I didn’t find a lot of time/motivation to write new articles but I think this time deserves it! A new RCE 0-day exploit was released yesterday related to the log4j2 Java logging package which it widely used. The exploit basically allows full server control pretty easily from a remote server. Considering the amount of companies/services impacted you can see how bad this is…

The vulnerability name is CVE-2021-44228 or also known log4shell at it has a CVE score of 10.0 which is the highest possible.

Testing the exploit

The exploit allows full server control and it is incredibly easy to exploit, you can run your own test with a docker container if you don’t believe me:

docker run -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app

Afterwards execute the following command on a new window:

curl 127.0.0.1:8080 -H 'User-Agent: ${jndi:ldap://127.0.0.1/a}'

And you should see the following in the logs:

2021-12-10 17:14:56,207 http-nio-8080-exec-1 WARN Error looking up JNDI resource [ldap://127.0.0.1/a]. javax.naming.CommunicationException: 127.0.0.1:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]

This basically means the attacker sends data to the server, the server logs the data in the request that contains the malicious payload. Afterwards the log4j vulnerability is trigged by the payload and the server makes the request to the server that was passed during the first step. The response contains a path to a remote Java class file which is injected into the server process and it allows to execute arbitrary code on the server. The guys form Lunasec did an amazing job putting together some information about this: Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package.

Does it affect SAP Products

So far SAP released a few notes for this vulnerability and it seems that most of their products are not affected:

• BusinessObjects and EIM products are not affected (there was a note related to EIM software but it seems they remove it):

3129956 – CVE-2021-44228 – BusinessObjects impact for Log4j vulnerability

• SAP NW AS Java are not affected since BeanFactory is not present in the default installation. This doesn’t mean that your system is not affected though, if you use third party applications or software you might be affected. Please take a look since the following note describes some steps in order to find if your system is affected:

3129883 – CVE-2021-44228 – AS Java Core Components’ impact for Log4j vulnerability

• Content Server is not affected, even older versions:

3129960 – How Apache Log4j vulnerability affect SAP Content Server

• XS Advanced Platform and applications are affected per the following SAP Note, it also includes a remediation:

3130698 – Remediating log4j CVE-2021-44228 vulnerability in XS Advanced Platform and applications

The list of notes regarding this vulnerability is getting bigger each moment and there are some applications affected like SAP Mobile Platform, SAP Commerce Cloud, etc. while some others SAP and non-SAP software is not like Sybase IQ, Oracle products, DB2 databases, etc. I recommend checking the list of notes related to CVE-2021-44228 for the latest news.