What is Log4j?
Cyber attackers are making hundreds of attempts every minute to try and exploit a critical security vulnerability in the Java logging library, Apache Log4j. The Log4j flaw (also now known as “Log4Shell”) is a vulnerability that can allow unauthenticated remote code execution and access to servers.
Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications and email services, meaning there’s a wide range of software that could be at risk from attempts to exploit the vulnerability.
Is my ERP system at risk?
Our experts at Crestwood Associates have been on top of this vulnerability. They have found, at this point, there is no evidence that Microsoft Dynamics GP or SL, Dynamics 365 Business Central, Acumatica or Greentree are affected by Log4j. In addition, due to the nature of the vulnerability, it is unlikely that they will be impacted.
However, third-party applications that are using Apache’s Log4j Java library are vulnerable. If you have the following add-ons or third-party products installed with your ERP solution, you are subject to the vulnerability.
- Tibco has a “Dynamics GP Data Virtualization” product that uses Log4j according to its documentation. If you are using this Tibco tool, please contact us regarding the vulnerability. For more Tibco product information click here.
- If by chance you are using an outdated (no updates since 2015) CDATA product called, “CData TDV Adapter for Dynamics GP,” you are at risk for the Log4j vulnerability. Please contact your Crestwood Account Manager right away, so we can make sure you are secure.
Bottom line, anything written in Java needs to be checked for this vulnerability. Generally speaking, your main ERP solution is not affected by this but please double check any third-party applications you might be using. Our team at Crestwood will continue to monitor this vulnerability closely. If you have further questions, reach out to us at email@example.com or contact your account manager.
Click here for Microsoft’s response information.
Note: Acumatica Users…
Acumatica released a statement on 12/15 confirming that they are not impacted by the Apache Log4j issue, as expected.