German software maker SAP is scrambling to patch the Log4Shell vulnerability in its applications and has rolled out fixes for tens of other severe flaws in its products.
SAP identified a total of 32 applications affected by CVE-2021-44228, a critical vulnerability in the Apache Log4j Java-based logging tool, and has already shipped patches for 20 of them, while scrambling to fix the remaining 12 as soon as possible.
In a report containing information on the affected software and the status of patching, SAP is also providing recommended workarounds for some of the applications that have yet to receive patches.
The Log4Shell vulnerability can be exploited by attackers to gain control of the affected systems. With tens of large tech companies already confirming impact from the bug, malicious attacks have been on the rise.
SAP also announced the availability of fixes for tens of other severe vulnerabilities in its products, as part of its monthly Security Patch Day.
The company published 10 new security notes and five updated notes on its December 2021 Security Patch Day, to which six other notes released between the second Tuesday of November and the second Tuesday of December should be added, enterprise application security firm Onapsis says.
Two of this month’s new security notes were rated ‘hot news’, the highest severity rating in SAP’s playbook, both carrying a CVSS rating of 9.9 (out of 10).
The first of them addresses 11 code execution vulnerabilities in SAP Commerce – the localization for China package – which are related to the application’s use of the open source library XStream. The update also addresses denial of service (DoS) and server-side request forgery (SSRF) bugs.
The second new hot news security note fixes a code injection bug in ABAP Server & ABAP Platform by deactivating the vulnerable code. The bug doesn’t have the highest possible severity rating because an attacker needs at least few privileges to exploit it.
SAP also announced an update for two other hot news security notes, one delivering updates for the Chromium browser in Business Client, and another addressing an SQL injection in NZDT Mapping Table Framework.
On this Security Patch Day, SAP announced the release of six security notes that address high-severity vulnerabilities in five applications, including SQL injection and DoS in Commerce, cross-site scripting (XSS) in Knowledge Warehouse, code injection in NetWeaver AS ABAP, DoS in SuccessFactors Mobile Application for Android devices, and directory traversal in SAF-T Framework.
Four of the remaining notes deal with medium-severity vulnerabilities, while the last one addresses a low-severity issue.
Related: SAP Patches Critical Vulnerability in ABAP Platform Kernel
Related: SAP Patches Critical Vulnerabilities in Environmental Compliance
Related: SAP Patches Critical Vulnerabilities With September 2021 Security Updates