on 09-20-2022 8:09 PM
Recently, our EDR tool found some Log4j and Commons FileUpload vulnerabilities on some of our machines and I found that they were associated with possibly Crystal Reports. These are some of the things we found:
C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript
C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\log4javascript.js
C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\log4javascript_stub.js
C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\log4javascript_stub_uncompressed.js
C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\log4javascript_uncompressed.js
C:\inetpub\wwwroot\aspnet_client\system_web\2_0_50727\crystalreportviewers13\js\log4javascript\main.css
C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript
C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\log4javascript.js
C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\log4javascript_stub.js
C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\log4javascript_stub_uncompressed.js
C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\log4javascript_uncompressed.js
C:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\crystalreportviewers13\js\log4javascript\main.css
C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript
C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript.js
C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_stub.js
C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_stub_uncompressed.js
C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_uncompressed.js
C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\crystalreportviewers\js\log4javascript\main.css
C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript
C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript.js
C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_stub.js
C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_stub_uncompressed.js
C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\log4javascript_uncompressed.js
C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript\main.css
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760\assemblylist.xml
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760\content.cab
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760\content.msi
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j-1.2.6_sap.1-core-nu\14.0.0.760\seed.xml
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760\assemblylist.xml
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760\content.cab
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760\content.msi
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.bundle-1.2.6_sap.1-core-nu\14.0.0.760\seed.xml
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760\assemblylist.xml
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760\content.cab
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760\content.msi
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.classes-1.2.6_sap.1-core-nu\14.0.0.760\seed.xml
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760\assemblylist.xml
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760\content.cab
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760\content.msi
C:\Program Files (x86)\SAP BusinessObjects\InstallData\InstallCache\tp.apache.log4j.nteventlogappender-1.2.6_sap.1-core-32\14.0.0.760\seed.xml
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\log4j.jar
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\log4j.jar
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\bundles\com.businessobjects.log4j.jar
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\log4j.jar
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\axis\1.3\log4j-1.2.8.jar
:\Program Files (x86)\SAP BusinessObjects\Crystal Reports 2011\java\lib\external\commons-fileupload-1.1.jar
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\commons-fileupload
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\commons-fileupload-1.1.1.jar
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\commons-fileupload-1.1.jar
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\classes\commons-fileupload\commons-fileupload-LICENSE.txt
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\commons-fileupload-1.1.1.jar
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\commons-fileupload-1.1.jar
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\commons-fileupload-1.1.1.jar
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\commons-fileupload-1.1.jar
Are these legitimate issues? What are the solutions for these? Thanks.
For the log4j issue, see Log4j security vulnerability with SAP Crystal Reports for .NET SDK. The gist of it is that the .NET SDK uses log4net, not log4j, and is not affected.
If your application is written in Java, then it needs to be at SP 28 or newer to avoid the log4j vulnerability.
For SAP BusinessObjects, it uses a version of log4j that is older than the versions that have the security vulnerability, so it's not an issue there.
-Dell
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You are using legacy versions of Crystal Reports.
Upgrade to the latest CR 2016 or CR 2020 to get the latest Service Packs (SP).
Runtime for CR for VS for Crystal Reports is available here:
https://wiki.scn.sap.com/wiki/display/BOBJ/Crystal+Reports%2C+Developer+for+Visual+Studio+Downloads
To upgrade to CR 2016 or CR 2020 go here:
https://help.sap.com/docs/SAP_CRYSTAL_REPORTS
We have not patched any previous version for the Log4J issues.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.