The Log4j vulnerability and Crystal Reports

Sunday 12 December 2021 @ 9:38 pm

Everyone has been talking about the new Java security vulnerability called Log4j. I have been talking to colleagues to determine if this affects Crystal Reports, Crystal Enterprise or anything else in the Crystal ecosystem. SAP put out a note that states that this vulnerability does not affect SAP Business Intelligence 4.2 or 4.3. It doesn’t mention earlier BI versions but these are no longer supported.

There was a support note about this topic, but nothing in the support note mentions Crystal Reports or the Crystal runtime engine used by third party applications. One of my colleagues said that since this is a Java vulnerability, it should not affect stand alone Crystal Reports, and I tend to agree. I also believe that if Crystal Reports were affected it would be mentioned in that support note. The same goes for the Crystal runtime files, but it would be nice if SAP responded specifically to these questions in the discussion above.

Last, thanks to Andrew Baines of Pursuit Technology and Danny Shahrabani of rePORTAL Software for helping me track down and make sense of the SAP support note.  If anyone else has info to share on this topic, please let me know.









Leave a Reply

Recrystallize Pro