Response to Log4j vulnerability

SAP Business One Cloud: Response to Log4j vulnerability

On December 9, world was made aware of a vulnerability in the Log4j logging framework, also known as CVE-2021-44228. Log4j is a popular Java library developed by the Apache foundation, which is widely used & appears in SAP Business One components as well.

According to US National Vulnerability Database (NVS), this issue has been described as Critical and rated 10/10 due to its severity.  

As the official statement from SAP was out of sight, ZUTOM has immediately initiated our incident response process. Without delays, we started assessing potential impact on our services and infrastructure as security is our top priority and is critical to protecting our customers.

We’ve taken all steps to keep our SAP B1 Partners safe and protected, which included rolling out our own fix, containing WAF block that prevents any access from outside using Reverse proxy.

In the meantime, SAP note 3131789 has been released yesterday with official statement. After full review of our servers, we are now fully compliant with that as well.

Situation is under control but we will continue to investigate this vulnerability & provide further updates if any new risk is identified.

‍