Skip to content
logo Knowledgebase

Important update: Apache Log4j vulnerability

Created on  | Last modified on 

Summary

This communication was issued to our Business Partner communities for Sage 200, Sage CRM, Sage X3, Sage Intacct and Sage 50 .

Description

This communication was sent 16 December 2021.

Important update: Apache Log4j vulnerability

Notice 21-DQ | 16 December 2021

Dear Partner,

I want to update you on the Apache Log4j vulnerability, which was initially announced on Friday 10 December, with a subsequent issue being reported on Tuesday 14 December. This is being widely reported as one of the most serious and widespread security vulnerabilities ever discovered - potentially billions of devices and services are at risk. Security and IT teams around the world have spent the last few days attempting to understand and remediate it.

The very largest companies such as Microsoft, Apple, Cisco, and many others have been impacted (even games such as Minecraft) - there are very few companies unaffected because the Log4j library is so ubiquitous.

Impact to Sage

As with all large organisations, the vulnerable Log4j component is present in Sage’s technology environments and teams across the business are working around the clock to mitigate the risk. Good visibility of impacted and potentially impacted services has been achieved but the investigation continues across all areas. Sage is in the process of patching its internal systems. We are continuing to work at pace on Sage product areas that have the potential to be exposed to this vulnerability. As patches become available for Sage products, they will be made available in the usual way – via our support sites.

Updates on Sage products we have patched:

  • Online products – three online product/services use the vulnerable version of Log4j (Payments Acceptance, Compliance Service and Maxwell Service). All three were protected by tailored web application firewall rules from Friday morning (10 December) and were patched over the weekend, there is no action needed from customers or partners.
  • Sage Products

     

    Sage CRM - Sage CRM is known to be affected. The manual mitigation published by Apache will eliminate this. Patches have been produced for impacted versions including (2020 R2, 2021 R1 and 2021 R2) and are at the test stage. As soon as the patches are through QA and available to customers, we will issue this through the usual channels.

    Sage X3 – Sage X3 software is not exposed to the log4j vulnerability, however, Sage X3 integrates natively with a third-party solution called Elasticsearch. Sage X3 versions 11 and 12 are likely to be integrated with impacted instances of Elasticsearch (e.g. version 7.9 and above) but not exposed if our published security best practices have been followed.

    Therefore, we encourage our customers and partners to review their Elasticsearch installation and follow the security applicable remediation from this provider. Please note that information and guidance on Sage X3 security best practices are available in the Sage X3 online help. An FAQ is available and will also be posted to the Partner Hub and Partner portals.

Customer Support Statement

It’s important that we show up for our customers consistently – please see below a holding statement for use when supporting customers, or on your customer-facing support sites.

“Sage and its partners take the security of its customer solutions extremely seriously, and regularly undertakes proactive testing across its products to identify potential vulnerabilities and provide fixes. Following the initial announcement of the Apache Log4j vulnerability on 10th December and subsequent updates, Sage has been investigating the potential impact on our products and services.

Our initial findings indicate there are no exposed systems in the Sage Products or architecture stack that uses log4j –where we have identified the potential for vulnerability, we have issued an initial patch – we are proactively monitoring the situation and applying and supplying new patches as and if required.

However, working with our industry peers and in an abundance of caution, we are upgrading our version of log4j in all areas of our business that use this 3rd party component.

If you have further questions, please speak to your account manager in the first instance. We thank you for your patience in this matter.”

Many thanks for your support in this matter – should you have any product related questions please contact customer support or your partner account manager.

Thanks

Colleague

Paul Emsley-Martin (VP Partners)