Security News > 2021 > December > SAP Kicks Log4Shell Vulnerability Out of 20 Apps

SAP has identified 32 apps that are affected by CVE-2021-44228 - the critical vulnerability in the Apache Log4j Java-based logging library that's been under active attack since last week.

Thomas Fritsch, an SAP security researcher at enterprise security firm Onapsis, said in his SAP Patch Tuesday writeup that the number of HotNews Notes may seem high, but one of them - #3089831, tagged with a CVSS score of 9.9 - was initially released on SAP's September 2021 Patch Tuesday.

Covering an SQL-injection vulnerability in SAP NZDT Mapping Table Framework, the note was updated in the December Patch Tuesday batch with what Fritsch said was information about possible symptoms.

SAP Commerce customers using the B2C Accelerator are also affected by SAP Security Note #3113593, tagged with a CVSS score of 7.5.

"The vulnerability affects the displaying component of SAP KW and SAP explicitly points out that the pure existence of that component in the customer's landscape is all that is needed to be vulnerable," Fritsch cautioned.

With a CVSS score of 8.4, SAP Security Note #3123196 describes a code injection vulnerability in two methods of a utility class in SAP NetWeaver AS ABAP. "A highly privileged user with permissions to use transaction SE24 or SE80 and execute development objects is able to call these methods and provide malicious parameter values that can lead to the execution of arbitrary commands on the operating system," Fritsch elucidated.

News URL

https://threatpost.com/sap-log4shell-vulnerability-apps/177069/