web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance | Project Operations, Human Resources, ... / Log4J vulnerability
Finance | Project Operations, Human Resources, ...
Suggested Answer

Log4J vulnerability

(0) ShareShare
ReportReport
Posted on by Richard Wheeler 75,848 Moderator

Is there any component in GP that would make a server subject to Log4J vulnerability?

Categories:
Microsoft Dynamics GP
I have the same question (0)
  • Jonathan Beaulieu Profile Picture
    Jonathan Beaulieu 5 on at

    Any updates on this?

  • Suggested answer
    Beat Bucher GP Geek GPUG All Star Profile Picture
    Beat Bucher GP Gee... 28,058 Moderator on at

    Good morning Richard,

    I've a couple clients scrambling over this topic, but there is no reason for panic IMHO.. The entire GP eco-system to my knowledge makes no use of Apache or any of its sub-component, like Java libraries for data logging. The Log4j vulnerability (or Log4Shell exploit) is affecting mainly web sites and IoT apps that make use of that library which was written years ago in open-source and never really updated. The vulnerability had been reported back in 2015 or 2016 during a white hat hack conference, but nobody really took notice of the warning. Until recently when some hackers decided to exploit the vulnerability at large in the field.

    www.wired.com/.../

    Unless Microsoft used this library as part of the IIS 6.0 or 7.x setup, which I doubt, GP shouldn't be concerned, even if you deployed the GP Web Client components.
    Here are some technical insights on the reported issue:

    https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html

  • David Musgrave MVP GPUG All Star Legend Moderator Profile Picture
    David Musgrave MVP ... 14,095 Most Valuable Professional on at

    Hi All

    I agree with Beat Bucher 

    Microsoft Dynamics GP is written in Dexterity (which in turn is written in C++). Customisations can be created using C#, VB.Net or VBA 6.0. The Database and server based code is all in SQL Server.

    None of these languages/environments/tools are affected.

    We can wait for MS support to confirm, but I can't think of any component that would be affected.

    Regards

    David

  • Suggested answer
    Terry R Heley Profile Picture
    Terry R Heley Microsoft Employee on at

    David and Beat are correct, there are no reports that this would impact Dynamics GP at this time.

    As always if you are on an "older" version of Dynamics GP it is a great time to look at upgrading.  With items like this happening and it is very important to be on the latest and greatest versions of the product if you can.

    Here is the lifecycle, you want to be on the latest code so you are receiving updates of the product, if you are on GP 2013, GP 2015 or GP 2016 an upgrade plan should be considered.

    Software lifecycle policy - Dynamics GP | Microsoft Docs

     Here is our recent release this October 2021-  18.4

    Microsoft Dynamics GP October 2021 - Feature Blog Series Schedule! - Microsoft Dynamics GP Community

     Also, the most recent upgrade blog series

    Microsoft Dynamics GP 2021 Upgrade Blog Series Schedule - Microsoft Dynamics GP Community

    Microsoft is aware of active exploitation of a critical Log4j Remote Code Execution vulnerability affecting various industry-wide Apache products. This vulnerability is in the open source Java component Log4J versions 2.0 through 2.14.1 (inclusive) and is documented in Apache CVE-2021-44228.  

    We are taking steps to keep customers safe and protected - including performing a cross-company assessment to identify and remediate any impacted Microsoft services. We are also investigating for potential customer/partner impact.  As of December 14, 2021, Microsoft is not aware of any impact to the security of our enterprise services and has not experienced any degradation in the reliability or availability of those services as a result of this vulnerability. However, we are still actively investigating utilization of Log4j in our services, and this determination may be subject to change at any given time based upon investigative findings. 

    We are also investigating for potential customer/partner impact. If we identify any customer/partner impact, we will notify the affected party.

    Please review the following guidance from Microsoft pertaining to this issue: 

    We encourage our customers to practice industry-standard best practices for security and data protection including embracing the Zero Trust Security model and adopting robust strategies to manage product security updates, endpoint security updates, and passwords. More information on Zero Trust Security is available at https://aka.ms/zerotrust. Additional information is available at https://www.microsoft.com/en-us/security.

    Thanks

    Terry Heley
    Microsoft

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Finance | Project Operations, Human Resources, AX, GP, SL

#1
Martin Dráb Profile Picture

Martin Dráb 646 Most Valuable Professional

#2
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 529 Super User 2025 Season 2

#3
Sohaib Cheema Profile Picture

Sohaib Cheema 285 User Group Leader

Last 30 days Overall leaderboard

Featured topics

End-of-life Announcement for Microsoft Dynamics GP

Product updates

Dynamics 365 release plans