Potential risks in their own system landscape. ComplianceNow has performed a thorough analysis of our products and found that the log4j has been used in certain versions of our software. We have reached out to all our affected customers directly, but for additional information on how the log4j component has been used and which actions are needed to secure the ComplianceNow suite we have compiled this information.
Summery
On December 9, 2021, a new critical 0-day vulnerability impacting multiple versions of the popular Apache Log4j 2 logging library was publicly disclosed that, if exploited, could result in Remote Code Execution (RCE) by logging a certain string on affected installations.
This specific vulnerability has been assigned CVE-2021-44228 and is also being commonly referred to as “Log4Shell” in various blogs and reports. Versions of the library said to be affected are versions 2.0-beta 9 to 2.14.1
Impact
The log4j library is actively used in the ComplianceNow suite for minor operations. The affected versions of the ComplianceNow suite are version 5.2.6 releases between and including 10945 and 11688.
The log4j library is not directly available through any web requests and is only used internally in the code when generating Excel files, which is done in a separate sandboxed process. We have not been able to replicate any such attack on our servers and does not consider ComplianceNow installations exposed. We do however encourage that the libraries are updated to a version that does not contain the mentioned exploit, so everyone can rest easy knowing that the flawed code is not even present on the server.
How would I know if I am affected?
If you are using either Authorization Process Manager (APM), Usage Monitor (UM), Access Control (AC) or Internal Control (IC) you can access the application to verify your actual application version. The “about” tab which is the first view of the application, contains the version and release numbers.
The version is the first number and the release is the number encapsulated by paranthesis.
Protection
ComplianceNow has been working on identifying a solution that will ensure no vulnerabilities exist in the ComplainceNow server located on your premises. The resolution will need to be performed by following the steps below:
- Identify the current log4j libraries in your application folder
\ComplianceNow\CNSuite\Java\lib\apache\ - Delete the 2 files from the folder
log4j-api-2.14.0.jar
log4j-core-2.14.0.jar - Download the log4j version 2.17.1 files and unpack them to the same folder
https://acsol-packages.s3.eu-west-1.amazonaws.com/3rdParty/ComplianceNow-log4j-2.17.1.zip - Restart the Apache service on your server
Additional information
https://logging.apache.org/log4j/2.x/security.html
If you have any further questions, don’t hesitate to contact our support team.
Sincerely,
ComplianceNow
Interested to learn more….?
We always look forward presenting our CN Suite to present customers, possible new customers, partners and network. So, if you want to learn more, have questions or would like to see a live demo of CN Suite please contact us.
Follow us on LinkedIn and get instant access to our latest articles and posts on SAP and compliance.