Sage 100

Important update: Apache Log4j vulnerability

Dear Partner,

I want to update you on the Apache Log4j vulnerability that was initially announced on Friday, December 10, 2021, with a subsequent issue being reported on Dec. 15. This is being widely reported as one of the most serious and widespread security vulnerabilities ever discovered-potentially billions of devices and services are at risk. Security and IT teams around the world have spent the last few days attempting to understand and remediate it.

The very largest companies such as Microsoft, Apple, Cisco, and many others have been impacted (even games such as Minecraft)-there are very few companies unaffected because the Log4j library is so ubiquitous.

Impact to Sage

As with all large organizations, the vulnerable Log4j component is present in Sage's technology environments, and teams across the business are working around the clock to mitigate the risk. Good visibility of impacted and potentially impacted services has been achieved, but the investigation continues across all areas.

Sage is in the process of patching its internal systems. We are continuing to work at pace on Sage product areas that have the potential to be exposed to this vulnerability. As patches become available for Sage products, they will be made available in the usual way through our support sites.

Updates on Sage products we have patched

·     Three online product/services use the vulnerable version of Log4j (Payments Acceptance, Compliance Service and Maxwell Service). All three were protected by tailored web application firewall rules from December 10 and were patched over the weekend-there is no action needed from customers or partners.  

Sage products with potential vulnerability

·     Sage CRM is the only desktop product known to be affected. The manual mitigation published by Apache will eliminate this. Patches have been produced for impacted versions including (2020 R2, 2021 R1, and 2021 R2) and are at the test stage. As soon as the patch is through QA and available to customers, we will issue this through the usual channels.
 

·     Sage X3 software is not exposed to the log4j vulnerability; however, Sage X3 integrates natively with a third-party solution called Elasticsearch. Sage X3 versions 11 and 12 are likely to be integrated with impacted instances of Elasticsearch (e.g. version 7.9 and above), but not exposed if our published security best practices have been followed.

We encourage our customers and partners to review their Elasticsearch installation and follow the security applicable remediation from this provider. Please note that information and guidance on Sage X3 security best practices are available in the Sage X3 online help. Logon to the Sage Partner Hub to view the FAQ. 

It's important that we show up for our customers consistently-please see below a holding statement for use when supporting customers or on your customer-facing support sites.

Best regards

Nancy Teixeira
VP Partner Strategy and Sales
Sage

Customer support statement

"Sage and its partners take the security of its customer solutions extremely seriously and regularly undertakes proactive testing across its products to identify potential vulnerabilities and provide fixes. Following the initial announcement of the Apache Log4j vulnerability on December 10, 2021, and subsequent updates, Sage has been investigating the potential impact on our products and services.

Our initial findings indicate there are no exposed systems in the Sage products or architecture stack that uses log4j. Where we have identified the potential for vulnerability, we have issued an initial patch. We are proactively monitoring the situation and applying and supplying new patches if required.

However, working with our industry peers and in an abundance of caution, we are upgrading our version of log4j in all areas of our business that use this third-party component.

If you have further questions, please speak to your account manager in the first instance. We thank you for your patience in this matter."

Important update: Apache Log4j vulnerability

Dear Partner,

I want to update you on the Apache Log4j vulnerability that was initially announced on Friday, December 10, 2021, with a subsequent issue being reported on Dec. 15. This is being widely reported as one of the most serious and widespread security vulnerabilities ever discovered-potentially billions of devices and services are at risk. Security and IT teams around the world have spent the last few days attempting to understand and remediate it.

The very largest companies such as Microsoft, Apple, Cisco, and many others have been impacted (even games such as Minecraft)-there are very few companies unaffected because the Log4j library is so ubiquitous.

Impact to Sage

As with all large organizations, the vulnerable Log4j component is present in Sage's technology environments, and teams across the business are working around the clock to mitigate the risk. Good visibility of impacted and potentially impacted services has been achieved, but the investigation continues across all areas.

Sage is in the process of patching its internal systems. We are continuing to work at pace on Sage product areas that have the potential to be exposed to this vulnerability. As patches become available for Sage products, they will be made available in the usual way through our support sites.

Updates on Sage products we have patched

·     Three online product/services use the vulnerable version of Log4j (Payments Acceptance, Compliance Service and Maxwell Service). All three were protected by tailored web application firewall rules from December 10 and were patched over the weekend-there is no action needed from customers or partners.  

Sage products with potential vulnerability

·     Sage CRM is the only desktop product known to be affected. The manual mitigation published by Apache will eliminate this. Patches have been produced for impacted versions including (2020 R2, 2021 R1, and 2021 R2) and are at the test stage. As soon as the patch is through QA and available to customers, we will issue this through the usual channels.
 

·     Sage X3 software is not exposed to the log4j vulnerability; however, Sage X3 integrates natively with a third-party solution called Elasticsearch. Sage X3 versions 11 and 12 are likely to be integrated with impacted instances of Elasticsearch (e.g. version 7.9 and above), but not exposed if our published security best practices have been followed.

We encourage our customers and partners to review their Elasticsearch installation and follow the security applicable remediation from this provider. Please note that information and guidance on Sage X3 security best practices are available in the Sage X3 online help. Logon to the Sage Partner Hub to view the FAQ. 

It's important that we show up for our customers consistently-please see below a holding statement for use when supporting customers or on your customer-facing support sites.

Best regards

Nancy Teixeira
VP Partner Strategy and Sales
Sage

Customer support statement

"Sage and its partners take the security of its customer solutions extremely seriously and regularly undertakes proactive testing across its products to identify potential vulnerabilities and provide fixes. Following the initial announcement of the Apache Log4j vulnerability on December 10, 2021, and subsequent updates, Sage has been investigating the potential impact on our products and services.

Our initial findings indicate there are no exposed systems in the Sage products or architecture stack that uses log4j. Where we have identified the potential for vulnerability, we have issued an initial patch. We are proactively monitoring the situation and applying and supplying new patches if required.

However, working with our industry peers and in an abundance of caution, we are upgrading our version of log4j in all areas of our business that use this third-party component.

If you have further questions, please speak to your account manager in the first instance. We thank you for your patience in this matter."

Important update: Apache Log4j vulnerability

Dear Partner,

I want to update you on the Apache Log4j vulnerability that was initially announced on Friday, December 10, 2021, with a subsequent issue being reported on Dec. 15. This is being widely reported as one of the most serious and widespread security vulnerabilities ever discovered-potentially billions of devices and services are at risk. Security and IT teams around the world have spent the last few days attempting to understand and remediate it.

The very largest companies such as Microsoft, Apple, Cisco, and many others have been impacted (even games such as Minecraft)-there are very few companies unaffected because the Log4j library is so ubiquitous.

Impact to Sage

As with all large organizations, the vulnerable Log4j component is present in Sage's technology environments, and teams across the business are working around the clock to mitigate the risk. Good visibility of impacted and potentially impacted services has been achieved, but the investigation continues across all areas.

Sage is in the process of patching its internal systems. We are continuing to work at pace on Sage product areas that have the potential to be exposed to this vulnerability. As patches become available for Sage products, they will be made available in the usual way through our support sites.

Updates on Sage products we have patched

·     Three online product/services use the vulnerable version of Log4j (Payments Acceptance, Compliance Service and Maxwell Service). All three were protected by tailored web application firewall rules from December 10 and were patched over the weekend-there is no action needed from customers or partners.  

Sage products with potential vulnerability

·     Sage CRM is the only desktop product known to be affected. The manual mitigation published by Apache will eliminate this. Patches have been produced for impacted versions including (2020 R2, 2021 R1, and 2021 R2) and are at the test stage. As soon as the patch is through QA and available to customers, we will issue this through the usual channels.
 

·     Sage X3 software is not exposed to the log4j vulnerability; however, Sage X3 integrates natively with a third-party solution called Elasticsearch. Sage X3 versions 11 and 12 are likely to be integrated with impacted instances of Elasticsearch (e.g. version 7.9 and above), but not exposed if our published security best practices have been followed.

We encourage our customers and partners to review their Elasticsearch installation and follow the security applicable remediation from this provider. Please note that information and guidance on Sage X3 security best practices are available in the Sage X3 online help. Logon to the Sage Partner Hub to view the FAQ. 

It's important that we show up for our customers consistently-please see below a holding statement for use when supporting customers or on your customer-facing support sites.

Best regards

Nancy Teixeira
VP Partner Strategy and Sales
Sage

Customer support statement

"Sage and its partners take the security of its customer solutions extremely seriously and regularly undertakes proactive testing across its products to identify potential vulnerabilities and provide fixes. Following the initial announcement of the Apache Log4j vulnerability on December 10, 2021, and subsequent updates, Sage has been investigating the potential impact on our products and services.

Our initial findings indicate there are no exposed systems in the Sage products or architecture stack that uses log4j. Where we have identified the potential for vulnerability, we have issued an initial patch. We are proactively monitoring the situation and applying and supplying new patches if required.

However, working with our industry peers and in an abundance of caution, we are upgrading our version of log4j in all areas of our business that use this third-party component.

If you have further questions, please speak to your account manager in the first instance. We thank you for your patience in this matter."