Hybris SAP Commerce Cloud - Log4j Vulnerability Solution

The Log4j vulnerability is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10. I hope by now you are already aware of Log4j Vulnerability (CVE-2021-44228). Hence, In this article, I'll not cover more about what log4j vulnerability is.

Now let's talk about what is the quick solution or precautionary measures for the SAP Commerce Hybris.



If your Hybris solution is on-premise or with SAP Infrastructure (CCV1) then you should take preventive measures either removing JNDI classes from existing log4j-core-*.jar or upgrading all log4j libs. As of now, let's go with the first option which looks like a quick and easy fix to me.

1) Create /hybris/config/customize/platform/ext/core/lib folder structure in your project

2) Copy /hybris/bin/platform/ext/core/lib/log4j-core-.jar* file to /hybris/config/customize/platform/ext/core/lib

3) Go to /hybris/config/customize/platform/ext/core/lib and execute below two commands which exclude Jndi classes.

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/net/JndiManager.class

 

4) Your lib is ready to use. You can commit this jar to the code repository (Git) 

5) Make sure to execute the below command during the hybris build process in all the environments. This will override the Hybris OOTB log4j-core-*.jar 

ant customize


If you are using SAP Cloud Commerce CCV2, I think you do not need to take any action for Log4J. However, please consult with your implementation/license partner.

Source: https://launchpad.support.sap.com/#/notes/0003130982


Author Image

Ankitkumar Patel

Sr. SAP Hybris consultant, having 6+ years experience in Hybris, Java, J2EE. Extensive hands-on experience in SAP Hybris development, third-party integrations with Hybris, project architecture and design... Read more

Comments

Popular posts from this blog

Hybris flexible search query examples

How to remove or update all data records in Hybris?

Hybris backoffice customization