Important update: Apache Log4j vulnerability

Widespread security issue which has worldwide impact on software vendors and applications

You may be aware of the recently disclosed critical level vulnerability in Log4J2 known as Log4Shell. The Apache Log4j vulnerability was initially announced on Friday 10 December, with a subsequent issue being reported on Tuesday 14 December.

This is being widely reported as one of the most serious and widespread security vulnerabilities ever discovered – potentially billions of devices and services are at risk. Security and IT teams around the world have spent the last few days attempting to understand and remedy it.

The very largest companies such as Microsoft, Apple, Cisco, and many others have been impacted (even games such as Minecraft) – there are very few companies unaffected because the Log4j library is so ubiquitous.

How does it impact your Sage software?

As with all large organisations, the vulnerable Log4j component is present in Sage’s technology environments, and teams across Sage are working around the clock to mitigate the risk. Good visibility of impacted and potentially impacted services has been achieved but the investigation continues across all areas.

Sage is in the process of patching its internal systems and continuing to work at pace on its product areas that have the potential to be exposed to this vulnerability. As patches become available for Sage products, they will be made available in the usual way – via Sage’s support sites.

Updates on patched Sage products:

• Online products – Three Sage online products/services use the vulnerable version of Log4j (Payments Acceptance, Compliance Service and Maxwell Service). All three were protected by tailored web application firewall rules from Friday morning (10 December) and were patched by Sage over the weekend. There is no action needed from customers.

• Sage CRM – Sage CRM is known to be affected. The manual mitigation published by Apache will eliminate this. Patches have been produced for impacted versions including (2020 R2, 2021 R1 and 2021 R2) and are at the test stage. All other versions of CRM are NOT affected by this issue. As soon as Sage has announced that the patches are through QA and available, we will update all affected PKF SCS customers and arrange for this to be applied.

Updates on Sage ISVs and Sage add-on products:

Aside from the core Sage products we have also been in contact with all of our key third party suppliers. Both Sicon and Draycir have confirmed that none of their applications uses log4j and therefore should not be impacted.

Panintelligence is however affected and they have produced a new software version that was released from testing on the afternoon of Thursday 16th December. Unfortunately, this fix is a full upgrade of Panintelligence and thus the work involved is going to vary from site to site, depending on your installed version. Your Smith Cooper account manager will be in touch immediately to confirm the details and arrange for your upgrade.

Customer support statement from Sage

“Sage and its partners take the security of its customer solutions extremely seriously, and regularly undertakes proactive testing across its products to identify potential vulnerabilities and provide fixes. Following the initial announcement of the Apache Log4j vulnerability on 10th December and subsequent updates, Sage has been investigating the potential impact on our products and services.

Our initial findings indicate there are no exposed systems in the Sage Products or architecture stack that uses log4j –where we have identified the potential for vulnerability, we have issued an initial patch – we are proactively monitoring the situation and applying and supplying new patches as and if required.

However, working with our industry peers and in an abundance of caution, we are upgrading our version of log4j in all areas of our business that use this 3rd party component.

If you have further questions, please speak to your account manager in the first instance. We thank you for your patience in this matter.”

If you would like to discuss the Apache Log4j vulnerability and if this affects your Sage product installation in more detail then contact us on 01332 959008 or email [email protected].