Log4j Software Vulnerability: Software Impacted and Updates Available

Apache Log4j Vulnerability

With the recently discovered exploitations of Apache Log4j (also known as Log4Shell), it’s important to know if this vulnerability applies to you and what to do moving forward if it does. As your trusted technology partner, we want to deliver all the crucial information needed to be able to mitigate risk and vulnerability during this time. Read on to get the latest updates surrounding Apache Log4j and what to do if affected.

What is Apache Log4j?

Apache Log4j is a Java-based logging utility that is part of the Apache Logging Services which is distributed free by the nonprofit Apache Software Foundation. The Log4j framework is used by software developers to record user activities and application behavior for further review. Log4j has been downloaded millions of times and is one of the most extensively used tools for collecting data across corporate computer networks, websites, and apps. 

On December 9, 2021, a vulnerability was discovered that might allow an attacker to compromise a system running Apache Log4j 2 version 2.14.1 or lower and execute arbitrary code. This means that an attacker can get access to your machine and take control allowing them to install malware, get access to passwords, spy on what you’re doing, and more.

This Log4Shell exploitation has a severity score of 10.0 which is the highest possible score for vulnerability. Apache along with companies that use Log4j are working diligently to release patches and updates to stop the vulnerability and threats that come with this issue. Keep up to date with Apache Log4j updates here.

Who is effected?

Sage Product Vulnerability

Sage’s technology environments do contain the susceptible Log4j component, and teams from across the company are working around the clock to mitigate the risk. Sage is currently in the process of patching their internal systems and these patches are being made available as they come out. The products with potential vulnerability are: 

  • Sage CRM: This is the only desktop product as of now that is known to be affected. Luckily, Apache has published a manual mitigation that will remove any vulnerability.
    • The Patches for Sage CRM are now being tested for the following versions: Sage CRM 2020 R2, Sage CRM 2021 R1, Sage CRM 2021 R2.

    • The Sage Regions will announce the appropriate download links shortly when the patches are ready, and share the status of their application to integrated products.
  • Sage X3 is affected by the vulnerability due to its native integration with a third-party solution called Elasticsearch.
    • According to Sage, X3 versions 11 and 12 are likely to be integrated with impacted instances of Elasticsearch (e.g. version 7.9 and above), but not exposed if their published security best practices have been followed.
  • Sage Intacct: cleared at this time. 
  • Sage 100 SPC: Portal and landing page do not use the Apache Log4J library and are not impacted.
  • Sage 100 with Sage CRM: Sage CRM have produced patches which are currently being tested. Sage will advise on results and availability ASAP. 
  • Quick Entry Sales Order integration: This feature does use the Log4J 1 library but the Log4J 1 library is not affected by this vulnerability.  
  • Sage Intelligence reporting components of Sage 100: cleared at this time. 
  • Sage Fixed Assets and Sage HRMS: cleared at this time.  
  • Crystal Reports and Aatrix: The SAP team has confirmed there is no impact on the software used for payroll e-filing and published this statement stating they are also not impacted.
  • Sage 300: The Apache Log4J 2 library is NOT used in the 2022, 2021, and 2020 versions of Sage 300.

Acumatica Product Vulnerability

Acumatica has already taken action to thoroughly analyze any potential issues within their platform related to Log4J and determined that there is no immediate threat to Acumatica users. Acumatica operates through Microsoft IIS-hosted services and therefore does not use Apache Log4j making the SAAS platform safe from exploitation. 

Acumatica makes a constant effort to monitor and assess their environment for any potential vulnerabilities across their hosted products in order to protect both their self-hosted and SaaS customers. Acumatica uses a mature formal process to handle vulnerabilities that are identified both internally and externally. 

Learn more about Acumatica’s cyber security here.

Criterion Product Vulnerability

Criterion HCM is not affected by the Log4j issues and users do not need to worry about product vulnerability. Customers can keep up with Criterion news and updates here.

What should you do?

The most important thing to do is make sure that all of the software that you use is up to date. Most affected softwares are already pushing out patches and updates to combat the vulnerability so make sure if you see an available update somewhere, you install it.

It’s important to check any third-party applications you may be using for updates if they use Java. Staying up to date with both software and the news surrounding Log4Shell are the most critical things to do in order to be protected from this vulnerability.

Keep up to date with Acumatica Log4j news here.

Keep up to date with Sage Log4j news here.

Keep up to date with Apache Log4j news here.

Keep up to date with Criterion news here.

The DSD team will continue to monitor this vulnerability closely. If you have further questions, please reach out to us at or contact your account manager.

If you have any concerns about security, please feel free to contact us.

Acumatica DSD Business Systems Sage