Personalized Community is here!
Quickly customize your community to find the content you seek.
Choose your path Increase your proficiency with the Dynamics 365 applications that you already use and learn more about the apps that interest you. Up your game with a learning path tailored to today's Dynamics 365 masterminds and designed to prepare you for industry-recognized Microsoft certifications.
Visit Microsoft Learn
2023 Release Wave 1Check out the latest updates and new features of Dynamics 365 released from April 2023 through September 2023
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Community | FastTrack Program | Finance and Operations TechTalks | Customer Engagement TechTalks | Upcoming TechTalks | All TechTalks
Is there any component in GP that would make a server subject to Log4J vulnerability?
Any updates on this?
Good morning Richard,
I've a couple clients scrambling over this topic, but there is no reason for panic IMHO.. The entire GP eco-system to my knowledge makes no use of Apache or any of its sub-component, like Java libraries for data logging. The Log4j vulnerability (or Log4Shell exploit) is affecting mainly web sites and IoT apps that make use of that library which was written years ago in open-source and never really updated. The vulnerability had been reported back in 2015 or 2016 during a white hat hack conference, but nobody really took notice of the warning. Until recently when some hackers decided to exploit the vulnerability at large in the field.
Unless Microsoft used this library as part of the IIS 6.0 or 7.x setup, which I doubt, GP shouldn't be concerned, even if you deployed the GP Web Client components.Here are some technical insights on the reported issue:
I agree with Beat Bucher
Microsoft Dynamics GP is written in Dexterity (which in turn is written in C++). Customisations can be created using C#, VB.Net or VBA 6.0. The Database and server based code is all in SQL Server.
None of these languages/environments/tools are affected.
We can wait for MS support to confirm, but I can't think of any component that would be affected.
David and Beat are correct, there are no reports that this would impact Dynamics GP at this time.
As always if you are on an "older" version of Dynamics GP it is a great time to look at upgrading. With items like this happening and it is very important to be on the latest and greatest versions of the product if you can.
Here is the lifecycle, you want to be on the latest code so you are receiving updates of the product, if you are on GP 2013, GP 2015 or GP 2016 an upgrade plan should be considered.
Software lifecycle policy - Dynamics GP | Microsoft Docs
Here is our recent release this October 2021- 18.4
Microsoft Dynamics GP October 2021 - Feature Blog Series Schedule! - Microsoft Dynamics GP Community
Also, the most recent upgrade blog series
Microsoft Dynamics GP 2021 Upgrade Blog Series Schedule - Microsoft Dynamics GP Community
Microsoft is aware of active exploitation of a critical Log4j Remote Code Execution vulnerability affecting various industry-wide Apache products. This vulnerability is in the open source Java component Log4J versions 2.0 through 2.14.1 (inclusive) and is documented in Apache CVE-2021-44228.
We are taking steps to keep customers safe and protected - including performing a cross-company assessment to identify and remediate any impacted Microsoft services. We are also investigating for potential customer/partner impact. As of December 14, 2021, Microsoft is not aware of any impact to the security of our enterprise services and has not experienced any degradation in the reliability or availability of those services as a result of this vulnerability. However, we are still actively investigating utilization of Log4j in our services, and this determination may be subject to change at any given time based upon investigative findings.
We are also investigating for potential customer/partner impact. If we identify any customer/partner impact, we will notify the affected party.
We encourage our customers to practice industry-standard best practices for security and data protection including embracing the Zero Trust Security model and adopting robust strategies to manage product security updates, endpoint security updates, and passwords. More information on Zero Trust Security is available at https://aka.ms/zerotrust. Additional information is available at https://www.microsoft.com/en-us/security.
Business Applications communities