Skip to Content
0
Sep 20 at 07:09 PM

Log4j and commons fileupload security vulnerabilities with SAP Crystal Report

64 Views Last edit Sep 20 at 07:24 PM 2 rev

Recently, our EDR tool found some Log4j and Commons FileUpload vulnerabilities on some of our machines and I found that they were associated with possibly Crystal Reports. These are some of the things we found:

C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript

C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\log4javascript.js

C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\log4javascript_stub.js

C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\log4javascript_stub_uncompressed.js

C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\log4javascript_uncompressed.js

C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\main.css

C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript

C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\log4javascript.js

C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\log4javascript_stub.js

C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\log4javascript_stub_uncompressed.js

C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\log4javascript_uncompressed.js

C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\main.css

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_stub.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_stub_uncompressed.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_uncompressed.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\main.css

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_stub.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_stub_uncompressed.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_uncompressed.js

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\main.css

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760\assemblylist.xml

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760\content.cab

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760\content.msi

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760\seed.xml

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760\assemblylist.xml

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760\content.cab

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760\content.msi

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760\seed.xml

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760\assemblylist.xml

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760\content.cab

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760\content.msi

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760\seed.xml

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760\assemblylist.xml

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760\content.cab

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760\content.msi

C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760\seed.xml

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\log4j.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\log4j.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\bundles\com.businessobjects.log4j.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\log4j.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\axis\1.3\log4j-1.2.8.jar

:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\java\lib\external\commons-fileupload-1.1.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\commons-fileupload

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\commons-fileupload-1.1.1.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\commons-fileupload-1.1.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\commons-fileupload\commons-fileupload-LICENSE.txt

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\commons-fileupload-1.1.1.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\commons-fileupload-1.1.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\commons-fileupload-1.1.1.jar

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\commons-fileupload-1.1.jar

Are these legitimate issues? What are the solutions for these? Thanks.