SAP Security Mandate: SAP Software and Log4J Remote Code Execution

SAP continues to investigate the remote code execution vulnerability (CVE-2021-44228) related to Apache
Log4j disclosed on Dec 10, 2021. SAP encourages our customers to update to the latest version of Log4j, where
applicable.

Log4Shell

SAP Product-Specific Information
No Known Impact

At the time of publication (time stamped above), the following non-exhaustive list of SAP products do not
contain components affected by this CVE.

• Customer Applications on BTP Neo Environment (logging API cannot be changed)
• SAP S/4HANA On-Premise on ABAP
• SAP S/4HANA Cloud Edition
• SAP Access Control 12.0 for SAP S/4HANA
• SAP Access Control 12.0
• SAP Adaptive Server Enterprise (Sybase ASE)
• SAP AI Business Services
• SAP AI Foundation
• SAP assurance and compliance software 1.3 for SAP S/4HANA
• SAP assurance and compliance software 1.4 for SAP S/4HANA
• SAP assurance and compliance software 1.3
• SAP assurance and compliance software 1.4
• SAP Behavioral Insights
• SAP BTP SDK for Android
• SAP BW/4 HANA
• SAP Business ByDesign
• SAP Business Planning and Consolidation (BPC MS, BPC NW, BPC/4HANA)
• SAP BusinessObjects Business Intelligence
• SAP BusinessObjects Explorer
• SAP BusinessObjects Data Services
• SAP BusinessObjects Financial Information Management
• SAP BusinessObjects Knowledge Accelerator
• SAP Business Technology Platform, Kyma runtime
• SAP Business Technology Platform, Neo environment
• SAP Cloud Appliance Library
• SAP Cloud for Real Estate
• SAP Cloud for Utilities Foundation
• SAP Compliant Handling
• SAP Content Server (650 and lower)
• SAP Contract Lifecycle Management
• SAP Convergent Charging
• SAP Configure Price Quote
• SAP Connector Management Service
• SAP Conversational AI
• SAP Customer Profitability Analytics
• SAP Data Custodian
• SAP Data Custodian key management service
• SAP Data Services
• SAP Data Warehouse Cloud
• SAP DCS ATP
• SAP DCS CPS
• SAP DCS DDMRP
• SAP DCS PPDS
• SAP Digital Manufacturing Edge – Plant Connectivity
• SAP Digital Payments
• SAP Digital Vehicle Hub
• SAP Disclosure Management
• SAP DVO – Create Vehicle
• SAP DVO – Digital Vehicle Sales
• SAP DVO – Fleet Management
• SAP E-Mobility
• SAP Edge Lifecycle Management
• SAP Electronic Invoicing for Brazil 10.0 (SAP Nota Fiscal Eletronica 10.0)
• SAP Electronic Invoicing for Brazil 10.0 (SAP Nota Fiscal Eletronica) for SAP S/4HANA
• SAP Engineering Control Center for S/4HANA
• SAP Event Stream Processor
• SAP Financial Compliance Management
• SAP Financial Consolidation
• SAP Fiori 1.0 for SAP Risk Management and SAP Process Control
• SAP Fiori 1.0 for SAP Access Control
• SAP Fiori Apps Reference Library
• SAP Fiori Elements V2 and SAP Fiori Elements V4
• SAP Fiori for SAP Global Trade Services, edition for SAP HANA 2020
• SAP Fiori tools
• SAP Focused Build and Insights 2.0 (On-Premise)
• SAP Focused Run 3.0 (On-Premise)
• SAP Forecasting and Replenishment, add-on for fresh products (On-Premise)
• SAP Forecasting and Replenishment (On-Premise)
• SAP Global Trade Services 11.0
• SAP Global Trade Services, edition for SAP HANA 2020
• SAP Group Reporting Data Collection
• SAP GUI for Java
• SAP HANA Database (Database, Dynamic Tiering, Client, and HANA Studio)
• SAP HANA Smart Data Integration (DP Agent)
• SAP HANA Smart Data Integration
• SAP HANA Streaming Analytics
• SAP HANA Spatial Service
• SAP HANA Streaming Analytics
• SAP Identity and Access Governance
• SAP Industry Processing Framework
• SAP Integrated Business Planning for Supply Chain
• SAP Information Platform Services
• SAP Intelligent Routing
• SAP IoT services for SAP BTP
• SAP IQ / SAP Sybase IQ
• SAP Landscape Transformation Replication Server
• SAP Learning System Access
• SAP Litmos
• SAP Liquidity Management Suite for Banking
• SAP Manufacturing Execution
• SAP Manufacturing Integration & Intelligence
• SAP Marketing Cloud
• SAP MaxDB/liveCache
• SAP Multi-Bank Connectivity
• SAP NetWeaver Application Server for ABAP
• SAP NetWeaver Application Server for Java
• SAP Outcome-Based Business Insights
• SAP Plant Connectivity
• SAP Predictive Analytics
• SAP Process Control 12.0 for SAP S/4HANA
• SAP Process Control 12.0
• SAP Returnable Packaging Management
• SAP Risk Management 12.0
• SAP Risk Management 12.0 for SAP S/4HANA
• SAP Roambi Enterprise
• SAP SCM Optimization
• SAP Signavio Journey Modeler
• SAP Signavio Process Governance
• SAP Signavio Process Intelligence
• SAP Solution Manager 7.2 (On-Premise)
• SAP Sports One
• SAP SL Toolset 1.0 SP33
• SAP SuccessFactors Litmos
• SAP Supplier Problem Solving
• SAP SQL Anywhere Server 17.0
• SAP TREX (Text Retrieval and Information Extraction) and BWA (Business Warehouse
Accelerator)
• SAP Upscale Commerce
• SAP Warehouse Insights
• SAP Watchlist Screening

Current Patch Application
At the time of publication, the following products have been identified as using Log4J. Appropriate patching
or recommended temporary fixes were applied.

• SAP Analytics Cloud (incl. Analytics Cloud Agent)
• SAP Ariba Procurement
• SAP Big Data Services
• SAP Built-In Support
• SAP Business Network
• SAP Business Process Intelligence
• SAP Business Technology Platform Cloud Foundry
• SAP Cloud ALM
• SAP Cloud Deployment Service
• SAP Cloud for Energy
• SAP Cloud for Customer
• SAP Cloud for Project
• SAP Commerce ISS / CDS
• SAP Concur Chorus DT
• SAP Concur Compleat
• SAP Concur Expense
• SAP Concur Invoice
• SAP Concur Travel
• SAP Concur TripIt
• SAP Customer Data Cloud/ Customer Data Platform
• SAP Data Intelligence (Cloud)
• SAP Document and Reporting Compliance service
• SAP Document Compliance, inbound invoicing option for Brazil
• SAP Document Compliance, outbound invoicing option for Brazil (nota fiscal eletronica)
• SAP Emarsys Customer Engagement
• SAP Enable Now (HANA Cloud Edition)
• SAP Enterprise Product Development
• SAP Enterprise Threat Detection Cloud Release 100
• SAP Event Ticketing Hub
• SAP Field Service Management
• SAP Fieldglass
• SAP HANA Cloud
• SAP HANA Service for BTP
• SAP HANA XS Advanced (XSA) Runtime – Workaround and Solution , XSA Cockpit – Solution
• SAP Health Foundation Services Patient Accounting
• SAP Help Portal
• SAP Identity Authentication Service
• SAP Information Collaboration Hub for Life Sciences
• SAP Landscape Management (Cloud)
• SAP Landscape Management (On-Premise)
• SAP Learning Hub
• SAP Leonardo Machine Learning Foundation
• SAP Localization Hub, candidate pipeline service
• SAP Localization Hub, digital compliance service for India
• SAP Localization Hub, social media integration service
• SAP Localization Hub, social media integration service for China for SAP SuccessFactors Recruiting
• SAP Localization Hub, social media integration service for LINE
• SAP Localization Hub, social media integration service for China for employee self-service
• SAP Localization Hub, social media integration service for SAP Analytics Cloud
• SAP Loyalty Marketing
• SAP Privacy Governance
• SAP Process Insights
• SAP Products on BTO
• SAP Process Insights
• SAP Process Orchestration – Solution
• SAP S/4HANA on-Premise – XI Adapter Framework
• SAP S/4HANA on-Premise non-ABAP
• SAP S/4HANA for Product Compliance
• SAP Signavio Process Manager(Cloud)
• SAP Signavio Process Collaboration Hub (Cloud)
• SAP SuccessFactors
• SAP Sales Performance Management (SPM)
• SAP Sourcing and SAP Contract Lifecycle Management
• SAP SuccessFactors Employee Central Payroll(ECP)

Patch Pending

At the time of publication, the following products are pending patch development. The available workarounds
are found in the links provided below.

• SAP AssetCentricService
• SAP Business One (Cloud) – Workaround
• SAP Business One (On-Premise) – Workaround
• Customer Applications on BTP Cloud Foundry Environment – Customers to implement SAP Note
• SAP Cloud for Customer – Lotus Notes Add-In 2021
• SAP Commerce Cloud (in Public Cloud) – Workaround
• SAP Commerce Cloud (in SAP Infrastructure V1.0 and V1.2)- Workaround
• SAP Commerce (On-Premise) – Workaround
• SAP Consumer Industries Cloud- Active MMPs
• SAP Contact Center 7.0 – Workaround
• SAP Customer Checkout versions 2.0 FP09, 2.0 FP10, 2.0 FP11 PL06 (or lower) and 2.0 FP12 PL04
(or lower) – Workaround
• SAP Customer Checkout manager versions 2.0 FP09, 2.0 FP10, 2.0 FP11 PL06 (or lower) and 2.0
FP12 PL04 (or lower) – Workaround
• SAP Data Intelligence (On-Premise) – Workaround
• SAP Health – CHP 2.0
• Digital Manufacturing Cloud
• Digital Manufacturing Edge
• SAP Enterprise Threat Detection log collector (On-Premise) – SAP Hotnews
• SAP Enterprise Threat Detection 2.0 (On-Premise) – SAP Hotnews
• SAP SuccessFactors Visa and Permits Management
• SAP Enable Now – On-Premise (HANA Edition, Microsoft SQL Edition) – Workaround
• SAP PowerDesigner(On-Premise) – Workaround

If you are unable to identify your SAP product or service in the lists above, please contact our support portal
for more information.

Leave a Reply


× eight = 16

Blogroll