SAP has been working around the clock to patch apps vulnerable to the Log4Shell flaw, releasing 21 fixes in its Patch Tuesday update. SAP has identified 32 different apps that have been affected by the critical vulnerability, which lies in the Apache Log4j Java-based jogging library that has been under active attack since last week. The German software maker reported that it has been able to patch 20 of the affected apps so far, and has provided workarounds for others. Log4Shell has taken the cybersecurity industry by surprise due to its ubiquitous nature and how easy it is to exploit. The vulnerability has spun off into even more dangerous variations, including another vulnerability in Apache’s fast-baked patch.
Threat actors across the world have been leveraging the vulnerability since news of its existence broke. Between Sunday and Wednesday morning, SAP was able to release 50 SAP Notes and Knowledge Base entries that focus on Log4j, highlighting its importance and the complexity of the situation. SAP’s latest Patch Tuesday included two patches for vulnerabilities not related to Log4j, one in HotNews Notes and six HIgh Priority Notes. The most critical non-Log4Shell patches are a duo for SAP Commerce that were both released with a CVSS score of 9.9.
