A lot of companies face the issue with the Log4Shell vulnerability at the moment. It is possible to exploit the log4j library Version Apache log4j <= 2.14.1 and run any (malicious) code from a remote machine. Unfortunately, there is still no official answer from SAP, therefore I want to share my knowledge on how to fix that issue. There is no guarantee for completion and your SAP Commerce setup could be different and may need more changes. Further, I don’t take any responsibility if you damage your system or whatever. Test your system beforehand and make a backup and checkout the SAP Commerce help sites! I only want to share my experiences with you.
To mitigate the vulnerability you have to extend the tomcat.generaloptions in your local.properties. Set the option log4j2.formatMsgNoLookups to true next to your other options.
tomcat.generaloptions= ... -Dlog4j2.formatMsgNoLookups=trueNext to this configuration, I added the option also to the SOLR. I have added it to the solr.in.sh. You can find the file here:
// path to solr.in.sh
{install_folder}/hybris/bin/modules/search-and-navigation/solrserver/resources/solr/8.9/binNow you can add the option to the file:
SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"Another way is to exchange the libraries in the commerce path. You can find the libraries here:
// commerce
{install_folder}/hybris/bin/platform/ext/core/lib
// solr | version directory depends on your commerce version
{install_folder}/hybris/bin/modules/search-and-navigation/solrserver/resources/solr/8.9/server/server/lib/ext
// solr | version directory depends on your commerce version
{install_folder}/hybris/bin/modules/search-and-navigation/solrserver/resources/solr/8.9/server/contrib/prometheus-exporter/lib
The exchange caused an issue on my platform. The logger has been disappeared. Luckily, I found a comment on answer.sap.com. He mentioned removing the option -Dlog4j.configuration=log4j_init_tomcat.properties. This did the trick and all loggers have worked again. The property isn’t used by SAP Commerce anymore since version 1811.
If you know more vulnerabilities or want to give a hint/additional information feel free to comment 🙂
Update: SAP has created a note with the recommendation to add the option https://launchpad.support.sap.com/#/notes/3130967.
Update 2: SAP released a patch version 20 of SAP Commerce Cloud on Premise on 23.12.2021, which contains the log4j lib 2.16.0. In the updated note SAP mentions, that they are not affected by the CVE-2021-45105.
