Security Experts:

Connect with us

Hi, what are you looking for?



SAP Patches Log4Shell Vulnerability in 20 Applications

German software maker SAP is scrambling to patch the Log4Shell vulnerability in its applications and has rolled out fixes for tens of other severe flaws in its products.

German software maker SAP is scrambling to patch the Log4Shell vulnerability in its applications and has rolled out fixes for tens of other severe flaws in its products.

SAP identified a total of 32 applications affected by CVE-2021-44228, a critical vulnerability in the Apache Log4j Java-based logging tool, and has already shipped patches for 20 of them, while scrambling to fix the remaining 12 as soon as possible.

In a report containing information on the affected software and the status of patching, SAP is also providing recommended workarounds for some of the applications that have yet to receive patches.

The Log4Shell vulnerability can be exploited by attackers to gain control of the affected systems. With tens of large tech companies already confirming impact from the bug, malicious attacks have been on the rise.

SAP also announced the availability of fixes for tens of other severe vulnerabilities in its products, as part of its monthly Security Patch Day.

The company published 10 new security notes and five updated notes on its December 2021 Security Patch Day, to which six other notes released between the second Tuesday of November and the second Tuesday of December should be added, enterprise application security firm Onapsis says.

Two of this month’s new security notes were rated ‘hot news’, the highest severity rating in SAP’s playbook, both carrying a CVSS rating of 9.9 (out of 10).

The first of them addresses 11 code execution vulnerabilities in SAP Commerce – the localization for China package – which are related to the application’s use of the open source library XStream. The update also addresses denial of service (DoS) and server-side request forgery (SSRF) bugs.

The second new hot news security note fixes a code injection bug in ABAP Server & ABAP Platform by deactivating the vulnerable code. The bug doesn’t have the highest possible severity rating because an attacker needs at least few privileges to exploit it.

SAP also announced an update for two other hot news security notes, one delivering updates for the Chromium browser in Business Client, and another addressing an SQL injection in NZDT Mapping Table Framework.

On this Security Patch Day, SAP announced the release of six security notes that address high-severity vulnerabilities in five applications, including SQL injection and DoS in Commerce, cross-site scripting (XSS) in Knowledge Warehouse, code injection in NetWeaver AS ABAP, DoS in SuccessFactors Mobile Application for Android devices, and directory traversal in SAF-T Framework.

Four of the remaining notes deal with medium-severity vulnerabilities, while the last one addresses a low-severity issue.

Related: SAP Patches Critical Vulnerability in ABAP Platform Kernel

Related: SAP Patches Critical Vulnerabilities in Environmental Compliance

Related: SAP Patches Critical Vulnerabilities With September 2021 Security Updates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.