As a result of the recently identified Log4Shell vulnerability (also known as CVE-2021-44228), the German Federal Office for Information Security (BSI) has issued a red alert for the IT threat level. The extremely critical security vulnerability in the widely used Java library Log4j threatens the IT of numerous companies. While all SAP cloud systems have already been patched, SAP on-premise systems may be affected by the vulnerability. The vulnerability in Log4j may also be relevant for applications on SAP BTP Neo and Cloud Foundry or for custom integration flows in SAP Cloud Integration (see SAP Note 3130846).
SAP provides an up-to-date overview of affected and unaffected systems. If in doubt, we recommend creating an SAP incident to check whether your currently deployed SAP products are affected by the Log4Shell vulnerability.
For SAP Identity Management (IdM), there is currently no need for action. SAP Note 3131771 states: “SAP IdM is using the Log4j library with version 1.2.x which is not affected by the reported vulnerability.”
However, AS Java could be affected by the vulnerability, as shown in SAP note 3129883 . Our security experts will provide you with competent support in identifying and fixing the Log4Shell vulnerability in the context of your SAP systems. You can contact us for the application of appropriate patches at any time, should it become necessary.