Sage 100

 View Only
  Thread closed by the administrator, not accepting new replies.

  • 1.  Does Sage use Java Log4j

    Posted 12-14-2021 12:55
    No replies, thread closed.
    Client's IT is asking whether Sage uses Java Log4j. Client is on Sage 100 Premium 2018.2. Does anyone know whether Sage uses this??  IT indicates there is a critical flaw.

    Thanks.

    ------------------------------
    Mary Mays
    Sr. Consultant, DSD Business Systems
    DSD Business Systems
    Goddard KS
    316-269-4264
    ------------------------------


  • 2.  RE: Does Sage use Java Log4j

    Posted 12-14-2021 12:59
    No replies, thread closed.

    I am not 100% sure about Sage 100 yet, but Sage CRM is impacted.  From Knowledgebase:  

    https://support.na.sage.com/selfservice/viewdocument.do?noCount=true&externalId=113739&sliceId=1&noCount=true&isLoadPublishedVer=&docType=kc&docTypeID=DT_Article&stateId=19677&cmd=displayKC&dialogID=1151662&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl&openedFromSearchResults=



    ------------------------------
    Madeline Stefanou
    RKL eSolutions, LLC
    ------------------------------



  • 3.  RE: Does Sage use Java Log4j

    Posted 12-14-2021 12:59
    No replies, thread closed.
    Log4J Vulnerability notification
    Created on 12-13-2021 | Last modified on 12-13-2021
    Summary
    Sage was alerted (Friday 10th December 2021) to a critical remote code execution vulnerability within all Apache log4j versions 2.0-beta9 to 2.14.1
    References
    https://logging.apache.org/log4j/2.x/security.html
    https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
    A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Log4j to execute arbitrary code (either as the user the server is running as, or root). These are the sorts of vulnerabilities that could be exploited automatically by worms.
    The Apache Log4J 2 library is used in the 2020 R2, 2021 R1, and 2021 R2 versions of Sage CRM.
    The Sage CRM Development Team has investigated this as a critical issue.
    Manual Mitigation
    Apache has advised that:
    "This behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/Apache/logging/log4j/core/lookup/JndiLookup.class."
    Patches for Sage CRM
    Sage has 3 patches in test for
    • Sage CRM 2020 R2
    • Sage CRM 2021 R1
    • Sage CRM 2021 R2
    Availability of the patches will be announced on Sage City.
    Please watch the following Sage City links for news:
    Sage City page: https://www.sagecity.com/sage-global-solutions/sage-crm/f/sage-crm-announcements-news-and-alerts
    Sage City feed: https://www.sagecity.com/sage-global-solutions/sage-crm/f/sage-crm-announcements-news-and-alerts/rss
    This applies for Sage CRM stand alone and when integrated with Sage accounting products. Sage 50, Sage 100, Sage 200, Sage 300, Sage X3 and Sage Intacct.
    Resolution
    This issue is currently being investigated.KeywordsLog4j,Java,ApacheKeywords: 
    Product: Sage X3
    Solution ID: 113739
    Published on: 12-13-2021
    Applies to: Security


    ------------------------------
    Madeline Stefanou
    RKL eSolutions, LLC
    ------------------------------

    Original Message


  • 4.  RE: Does Sage use Java Log4j



  • 5.  RE: Does Sage use Java Log4j

    Posted 12-14-2021 13:03
    No replies, thread closed.
    I think this should be consolidated into one thread or it's going to become difficult to find relevant info quickly. 

    x-ref

    ------------------------------
    Wayne Schulz
    Schulz Consulting
    860-516-8990
    ------------------------------



  • 6.  RE: Does Sage use Java Log4j

    Posted 12-14-2021 13:38
    No replies, thread closed.
    FYI, that big Kronos Ransomware shutdown (they will be down at least a week) was caused through log4j

    ------------------------------
    Mark Chinsky
    Clients First Business Solutions
    ------------------------------

    Original Message


  • 7.  RE: Does Sage use Java Log4j

    Posted 12-14-2021 13:54
    No replies, thread closed.
    If anyone hears about issues with web / EDI enhancements (MAPADOC, WSP, InSynch, TrueCommerce, SIA, DataSelf...), please do share here.

    ------------------------------
    Kevin Moyes
    Technical Systems Analyst
    Munjal White Consulting Co.
    Toronto ON
    ------------------------------

    Original Message


Related Content