Solved: Log4j and commons fileupload security vulnerabilit...

former_member1014728 · ‎09-20-2022

Recently, our EDR tool found some Log4j and Commons FileUpload vulnerabilities on some of our machines and I found that they were associated with possibly Crystal Reports. These are some of the things we found:

C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript

C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\log4javascript.js

C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\log4javascript_stub.js

C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\log4javascript_stub_uncompressed.js

C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\log4javascript_uncompressed.js

C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\main.css

C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript

C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\log4javascript.js

C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\log4javascript_stub.js

C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\log4javascript_stub_uncompressed.js

C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\log4javascript_uncompressed.js

C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\main.css

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_stub.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_stub_uncompressed.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_uncompressed.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\main.css

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_stub.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_stub_uncompressed.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_uncompressed.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\main.css

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760\assemblylist.xml

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760\content.cab

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760\content.msi

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760\seed.xml

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760\assemblylist.xml

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760\content.cab

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760\content.msi

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760\seed.xml

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760\assemblylist.xml

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760\content.cab

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760\content.msi

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760\seed.xml

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760\assemblylist.xml

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760\content.cab

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760\content.msi

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760\seed.xml

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\log4j.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\log4j.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\bundles\com.businessobjects.log4j.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\log4j.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\axis\1.3\log4j-1.2.8.jar

:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\java\lib\external\commons-fileupload-1.1.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\commons-fileupload

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\commons-fileupload-1.1.1.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\commons-fileupload-1.1.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\commons-fileupload\commons-fileupload-LICENSE.txt

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\commons-fileupload-1.1.1.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\commons-fileupload-1.1.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\commons-fileupload-1.1.1.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\commons-fileupload-1.1.jar

Are these legitimate issues? What are the solutions for these? Thanks.

DellSC · ‎09-20-2022

For the log4j issue, see Log4j security vulnerability with SAP Crystal Reports for .NET SDK. The gist of it is that the .NET SDK uses log4net, not log4j, and is not affected.

If your application is written in Java, then it needs to be at SP 28 or newer to avoid the log4j vulnerability.

For SAP BusinessObjects, it uses a version of log4j that is older than the versions that have the security vulnerability, so it's not an issue there.

-Dell

former_member11696 · ‎09-21-2022

You are using legacy versions of Crystal Reports.

Upgrade to the latest CR 2016 or CR 2020 to get the latest Service Packs (SP).

Runtime for CR for VS for Crystal Reports is available here:

https://wiki.scn.sap.com/wiki/display/BOBJ/Crystal+Reports%2C+Developer+for+Visual+Studio+Downloads

To upgrade to CR 2016 or CR 2020 go here:

https://help.sap.com/docs/SAP_CRYSTAL_REPORTS

We have not patched any previous version for the Log4J issues.

Log4j and commons fileupload security vulnerabilities with SAP Crystal Report

Accepted Solutions (1)

Accepted Solutions (1)

Answers (1)

Answers (1)

Re: "Failed to update setup engine executables. Pr...

Re: Timer showing while sending the mails from SAP

Re: Best practice to connect to multiple databases...

SAP Hana Calculation view input parameter from JPA...

Re: Adaptation error in sap mdg ui screen customer