cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Log4j security vulnerability with SAP Crystal Reports for .NET SDK

Go to solution
dave_smith2
Participant

on ‎12-10-2021 9:27 PM

We were just made aware of a severe vulnerability in the Java logging library Apache Log4j.

See the following article for more information:

https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-bei...

Is this library present and being used by the Crystal Reports runtime engine for .NET SDK (using v13.0.30.3805)? If so, what measures can we take to mitigate this vulnerability? Is SAP planning to issue some kind of patch?

Thanks in advance.

Show replies
Show replies
tomaslov
Explorer
‎12-11-2021 9:20 PM
0 Kudos

Thanks alot!

cherylmathieu
Member
‎12-11-2021 9:46 PM
0 Kudos

Thank you!

dave_smith2
Participant
‎12-11-2021 11:52 PM

Thank you, but this article only refers to SAP Business Objects BI Platform 4.2x.

How does this vulnerability affect the SAP Crystal runtime for .NET and/or Crystal Reports itself?

Has SAP looked into those components and is there any indication as to whether or not they are affected?

dmjohnston
Explorer
‎12-12-2021 8:50 AM

I also need to have this answered specifically for the SAP Crystal Runtime. Why is this kind of information behind the S-account wall, anyway?

laxmi_b
Explorer
‎12-12-2021 5:41 PM
0 Kudos

There are lot of files with Name *\Log4j-1.2.15.jar and Log4j.jar in the SAP Business Objects 4.3 implementation. Can SAP give a more detailed answer on the version of all the Log4j files?

edwardtam
Discoverer
‎12-13-2021 7:58 AM

I also need to have this answered specifically for the SAP Crystal Reports 2016. Could anyone please share the related info somewhere more open to us who need this?

alexhart
Discoverer
‎12-13-2021 9:13 AM
0 Kudos

https://logging.apache.org/log4j/2.x/security.html

Joe_Peters
Active Contributor
‎12-13-2021 6:38 PM
0 Kudos

Interesting - the last bullet point (about updating to 2.15) was just removed from the page.

ayman_salem
Active Contributor
‎12-13-2021 6:48 PM
0 Kudos

You are right, SAP updates the KBA regularly (now version 5)

dmjohnston
Explorer
‎12-14-2021 8:24 AM
0 Kudos

As others have noted, Ayman, the OP, and others here, are asking about the impact to Crystal Reports, which is different than the Business Objects BI platform.

dave_smith2
Participant
‎12-14-2021 1:14 PM
0 Kudos

And what about the SAP Crystal runtime for .NET? Is that mentioned in this KBA?

How can we access this document? We do not have an S-user id and are prevented from seeing it.

Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member11696
Employee
Employee
‎01-07-2022 8:46 PM
0 Kudos

Hi John,

The important part about all of these issues is the classes in log4j that have the issue is not included in the SAP versions so not sure about the scanner you are using and if it looks for the specific class definition or just the file/versions.

The only version that was affected is in CR for Eclipse and that one we just released SP 28 to fix the issue with the updated log4j jar version 2.17.1

https://wiki.scn.sap.com/wiki/display/BOBJ/SAP+Crystal+Reports+version+for+Eclipse+-+Downloads

Use Google and search for this KBA 3131199 for CR for Eclipse.

You will need to contact Sage to see if and when they provide a fix or answer.

I don't believe you'll be able to delete the files, the instal manifest file will put it back on if it detects it missing.

Just be assured our version does not include the class with the vulnerability so it's not an issue.

Hope that clears things up for everyone.

Don

Show replies
Show replies

Answers (7)

Answers (7)

former_member11696
Employee
Employee
‎12-13-2021 10:26 PM

Update:

Only CR4Eclipse was impacted but, as per KBA 3131199, it has now been corrected in SP28.

You can get SP 28 from here:

https://wiki.scn.sap.com/wiki/display/BOBJ/SAP+Crystal+Reports+version+for+Eclipse+-+Downloads

Show replies
Show replies
dave_smith2
Participant
‎12-13-2021 10:35 PM

Would it be possible to gain access to this KBA somehow? We do not have an S-user id and so cannot access it. It would be much appreciated if you would be able to provide a link that allows us to view it.

Thank you.

former_member11696
Employee
Employee
‎12-13-2021 4:22 PM

Hi Guys,

We've discussed this over the weekend and it does not impact CR or CR for VS or BOE runtime at all.

Yes our version is out of date and we are working on updating it but there is no impact to .NET runtime since it's not used.

So you can ignore the the warning.

Don

Show replies
Show replies
former_member780741
Discoverer
‎12-13-2021 4:52 PM
0 Kudos

Hi Don,

I understand Apache Tomcat is open source and is bundles with SAP. Can you help if there is any impact on log4j.jar versions below 2 within Apache tomcat please.

Regards

Karthik

dave_smith2
Participant
‎12-13-2021 5:15 PM

Don,

Is there an official release from SAP that explains this? Preferably a document that we all can access without the need for an S-user id?

Thanks.

former_member776593
Discoverer
‎12-22-2021 3:43 AM
0 Kudos

Hi Don,

We have our client which currently still running and using SAP Crystal Server and Crystal Reports 2013 old version.

Since SAP Crystal Server 2013 is run on BI Platform 4.1, could you check and confirm to us whether this version is impacted or not?

In latest SAP notes release, it only mention SAP BusinessObjects Business Intelligence Platform 4.2, 4.3 environment were not impacted.

former_member780741
Discoverer
‎12-11-2021 1:58 PM

Hi Dave,

Please refer to the note released by SAP on this:

3129956 - CVE-2021-44228 - BusinessObjects impact for Log4j vulnerability

Hope this helps.!

Regards

Karthik

Show replies
Show replies
dave_smith2
Participant
‎12-11-2021 3:49 PM
0 Kudos

Hi,

I am unable to access this link due to some sort of authentication issue (see below error). Can you provide a link that will allow me to access this document? Thanks.

You are signed in with a P-user ID. Visitors with an S-user ID will benefit from more tools and enhanced functionality.

dave_smith2
Participant
‎12-11-2021 4:17 PM

Apparently, an S-user id is required to access this information. We do not have an S-user id. How can we obtain this document?

tomaslov
Explorer
‎12-11-2021 9:12 PM
0 Kudos

We also have an issue reaching this document, as we only have P-user ID as well. Could anyone please share the related info somewhere more open to us who need this?

ayman_salem
Active Contributor
‎12-11-2021 9:18 PM
0 Kudos

see me Answer

edwardtam
Discoverer
‎12-13-2021 7:58 AM
0 Kudos

I also need to have this answered specifically for the SAP Crystal Reports 2016. Could anyone please share the related info?

former_member780741
Discoverer
‎12-13-2021 4:50 PM
0 Kudos

Hi Edward,

I had a connect with SAP team and they confirmed no impact on any of BI components and that includes crystal reports.

However, you will need to validate log4j.jar versions of Apache Tomcat services and apply fix if the version you are on is vulnerable.

Apache Log4j Security Vulnerabilities

Good Luck.!

Karthik

jason_walters2
Explorer
‎12-14-2021 7:24 PM
0 Kudos

I read this note but it doesn't go far enough -- I need further clarity to actually believe it. Crystal Reports 2016 SP4 installer has left no less than 4 copies of the log4j.jar (dated 2/1/2017), all sourced to the BusinessObjects Enterprise XI 4.0 subfolder.

Are we assumed to be safe because the version number is old? Or are we presumed save if you are not actually using the XI 4.0 Server?

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\jars\lib

jar.png

dave_smith2
Participant
‎12-15-2021 7:26 PM
0 Kudos

We were finally able to review this KBA. Not to beat a dead horse, but it makes no specific mention of the SAP Crystal runtime for .NET, which was the subject of my post. We see Crystal Reports and other BO components, but nothing about the runtime.

Will this component be added to the list of environments not affected by this vulnerability?

Environment

SAP BusinessObjects Business Intelligence Platform 4.2, 4.3

SAP BusinessObjects Business Intelligence (BI) Platform 4.0 / 4.1 * NO LONGER SUPPORTED

SAP Crystal Server 2016, 2020

SAP Crystal Reports 2016, 2020

SAP Crystal Reports for Enterprise 4.2, 4.3

Live Office

Universe Design Tool (UDT)

Analysis for Office (AO) and Analysis for Office Add-on for BI Platform

Lumira Discovery, Lumira Server for BI Platform & Lumira Designer

SAP BI Mobile server

All Operating Systems

former_member11696
Employee
Employee
‎01-13-2022 6:14 PM
0 Kudos

And to answer your question CR for VS does not use log4j, it uses log4net so doesn't impact CR for VS at all

Show replies
Show replies
sankethgardas
Member
‎03-17-2022 8:05 AM
0 Kudos

Hi,

Is Crystal Reports 2011 version 14.0.7 affected by log4j vulnerability as well?

baerjo
Member
‎12-17-2021 1:59 PM
0 Kudos

Will the Sage Fixed Assets bundled SAP Crystal Reports for Sage still work if the log4j files are deleted from the system?

Qualys is still flagging the files as at risk, even though SAP mentions above that they are not affected. I'm being asked to delete the files from the client computers.

Show replies
Show replies
srujankumar28
Explorer
‎12-13-2021 7:11 PM
0 Kudos

Hi Expert,

If Log4j vulnerability are not impacting Business Objects 4.2 then how can we fix the issue on Tomcat nodes?

Thanks

Show replies
Show replies
dmjohnston
Explorer
‎12-13-2021 4:19 PM
0 Kudos

SAP sent me this: support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf

But I can't access it since I'm not linked to an S-user ID.

Show replies
Show replies
Joe_Peters
Active Contributor
‎12-13-2021 4:41 PM
0 Kudos

I can't copy it word-for-word, but it only says that they're aware of the problem and looking into it.

Ask a Question