Disclaimer and first things first:
First: According to Note “3132233 – CVE-2021-44228 – Log4j vulnerability no impact on ADT and BWMT” SAP stated that ABAP Development Tools (ADT) and BW Modeling Tools (BWMT) are not affected by the Log4j vulnerability (as of 20.12.2021)
Second: All the observations are my personal ones, there is no relation to SAP. This is just triggered by my curiosity.
That said: If you’re interested read on, if you are just worrying about Log4J and want to know about ADT and BWMT – go to Note 3132233
What is Log4J and why should i care?
Log4J is a logging library in Java, which is used in quiet a lot of products. It became infamous due to the recent zero-day vulnerability called Log4Shell (CVE-2021-44228). Details:
To clarify, because this gets confusing some times: Log4J2 is affected, Log4J versions 1 are not affected by CVE-2021-44228 (as of 20.12.2021, things are changing fast these days…).
What is installed with ADT and BWMT?
So, even SAP stated i don’t need to worry – i’d like to know what’s on my system. So i installed Eclipse 2021-09 on my maschine (Eclipse Download) This blog post gives a crisp howto for installing this, together with the “SAP Maschine” Java VM.
After doing so, there is no trace of any Log4J-package on the sytem: If you open “Help > About Eclipse IDE” and choose “Installation Details” you can search for installed plugins.
After installing the ADT-Plugin the first Log4J-trace shows up. The plugin “Apache Jakarta log4j Plug-in comes with a “Provider” called Eclipse Orbit. Fortunatelly it’s in version 1.2.15 so nothing to worry – to old to be dangerous… 😉 But what is Orbit?
“Orbit is a project designed to be a repository for third party libraries that are approved for use in Eclipse projects and are to be used/distributed as bundles” (https://wiki.eclipse.org/Orbit/FAQ) According to https://projects.eclipse.org/projects/tools.orbit there is no development taking place in this project, it’s mere a catalogue of bundled 3rd party libraries. The use for this is, that naming and versioning stays consistent. In the current build you can see, which log4j version is in which package: https://download.eclipse.org/tools/orbit/downloads/
After installing the BWMT-Plugin we got the second Log4J entry: The Plugin “Xtext Log4J Fragment” is installed by the provider “Eclipse Xtext” (also version 1.2.15 – we are some lucky guys). And again: What the hell is that?
It’s a framework to develop DSLs (domain specific languages), so you can… uh code your own programing language (Wikipedia).
And a nice discussion about moving from Log4j1 to Log4j2 can be found here: https://github.com/eclipse/xtext-core/issues/1363 Quote: “Given the recent indicidents with log4j 2.x, I’d say it’s good that we’re on a log4j version that is not affected by these and that is practically not exposing any CVEs. Practically meaning, the known security risks of log4j 1.x are only relevant in rare cases, where a SocketServer is created and kept alive, but not subject to an attack vector based on the contents of log messages.”
And now for something completely different
Can’t get enough of Log4J? https://log4jmemes.com/