Statement on “Log4j” Vulnerability from FocusPoint
Charles Robinson – Chief Technology Officer, FocusPoint
In response to the potential impact of the open-source Apache “Log4j” vulnerability as it relates to FocusPoint, there is no impact to the system. FocusPoint is built on the latest .NET Core stack and therefor is not affected by this vulnerability.
Components of SAP that support the integration should be evaluated by your SAP VAR, please see the following attachment released from SAP.
Additional details on “Log4j” Vulnerability:
The vulnerability, referenced as CVE-2021-44228 by the NIST I described as follows: “Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.”
For more details on this vulnerability, please reference this statement from the Cybersecurity & Infrastructure Security Agency.
Brought to you by the B2B and B2c e-commerce implementation team at FocusPoint: an all-in-one solution for SAP Business One customers.