There was a problem loading the comments.

LOG4J - No, We Do NOT Use Log4J

Support Portal  »  News  »  Viewing Article

  Print
  • 12/12/2021 12:12 AM

Short Answer:

No, we do NOT use Log4J in Report Runner or any of our software products.

While our software is famous for it's logs, we do not use Log4J. We use a text-based logger that was custom built into our software. We do not use an external DLL or application for logging. And again, our logger is only text-based and only appends text messages to a text file. Our logging code is not capable of running SQL or anything nefarious like Log4J.

The Crystal runtime engine does have some files named "log4j", but SAP/Crystal indicates there are no risks with these files.

Extended Answer:

There ARE some "log4j" JS files installed by the Crystal runtime engine here:

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\Crystal Reports 2011\crystalreportviewers\js\log4javascript

These .js files located in the log4javascript directory can be deleted if you like. We do not depend on them with our software. SAP indicates these files are not used by neither Crystal Reports nor the Crystal .Net runtime engine (which our software uses). SAP indicates in their forum replies these files are NOT a security risk.

Please see this forum post and answers from SAP (be sure and scroll all the way to the bottom to see full discussion and answers):

https://answers.sap.com/questions/13545419/log4j-security-vulnerability-with-sap-crystal-repo.html

We will continue to update this KB article as we learn more.

Share via

Related Articles

© Support @ Jeff-Net