CVE-2021-44228 Log4Shell Vulnerability in SAP Commerce Cloud on Premise

A lot of companies face the issue with the Log4Shell vulnerability at the moment. It is possible to exploit the log4j library Version Apache log4j <= 2.14.1 and run any (malicious) code from a remote machine. Unfortunately, there is still no official answer from SAP, therefore I want to share my knowledge on how to fix that issue. There is no guarantee for completion and your SAP Commerce setup could be different and may need more changes. Further, I don’t take any responsibility if you damage your system or whatever. Test your system beforehand and make a backup and checkout the SAP Commerce help sites! I only want to share my experiences with you.

To mitigate the vulnerability you have to extend the tomcat.generaloptions in your Set the option log4j2.formatMsgNoLookups to true next to your other options.

tomcat.generaloptions= ... -Dlog4j2.formatMsgNoLookups=true

Next to this configuration, I added the option also to the SOLR. I have added it to the You can find the file here:

// path to

Now you can add the option to the file:

SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"

Another way is to exchange the libraries in the commerce path. You can find the libraries here:

// commerce 

// solr | version directory depends on your commerce version

// solr | version directory depends on your commerce version

The exchange caused an issue on my platform. The logger has been disappeared. Luckily, I found a comment on He mentioned removing the option This did the trick and all loggers have worked again. The property isn’t used by SAP Commerce anymore since version 1811.

If you know more vulnerabilities or want to give a hint/additional information feel free to comment 🙂

Update: SAP has created a note with the recommendation to add the option

Update 2: SAP released a patch version 20 of SAP Commerce Cloud on Premise on 23.12.2021, which contains the log4j lib 2.16.0. In the updated note SAP mentions, that they are not affected by the CVE-2021-45105.


Leave a comment

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.