In some configurations of Sinch Contact Pro (aka SAP BCM, SAP Contact Center, SAP CCtr…), installations can contain lower, vulnerable versions of Apache Log4j. It affects component Ecf Web Server, thus in scenarios, where Communication Panel or Live chat is in use.

As a temporary and immediate solution, log writing for all internet facing Java components using Log4j should be disabled. This will not impact business user, functionality will not be affected.

The problem can be fixed according to Sinch and Apache guides or wait for Sinch hotfix, which is being developed. The hotfix will be available for versions FP15 and higher.

Currently, there is no known scenario how to misuse this vulnerability in Sinch Contact Pro.

Please, if you need more information or help with this issue, do not hesitate to contact us >>.

Official resources:

 SAP OSS note (S-user required): 3129880 - Vulnerabilities found in JAVA which could affect ECF (Tomcat Apache Log4j security vulnerabilities)

 Sinch article: Security Vulnerability Reported: Apache Log4j - Sinch Community - 8805

 Apache guide for fix: https://logging.apache.org/log4j/2.x/security.html