SugarCRM Information Regarding Log4j Vulnerability

Like many software companies around the world, SugarCRM recently became aware of a critical vulnerability in the Log4j software developed by Apache Software Foundation, which is generally used in web server applications. The zero-day attack exploiting Log4j software versions 2.0 to 2.14.1 is being referred to as CVE-2021-44228 or "Log4Shell." We quickly identified and remediated our affected systems by December 13, 2021. Based on our investigation, we have not detected that our web-based services were negatively affected by the exploit.

The SugarCRM Security Team continues to monitor the situation and we are ready to react appropriately to any intelligence about this vulnerability. In addition, measures designed to detect and prevent any attempted activity related to this vulnerability have been implemented by our organization. We will continue to keep our customers informed by way of email, if necessary.

On Premises customers should evaluate any technology stacks running SugarCRM products to ensure no vulnerabilities exist. Customers are encouraged to upgrade Elastic Search to at least the remediated version 7.16.1.

For further information about the vulnerability please visit these links, or search for CVE 2021-44228:

The SugarCRM Security Team

Parents Comment
  •   - 7.7 reached its end of support date in 2017, so we do not run any kind of testing against that version. I looked back at some documentation archives and found that the only supported version of ElasticSearch for Sugar 7.7 was 1.4.4. It is strongly recommended to upgrade to a supported version of Sugar to take advantage of all security and bug fixes released in the last few years, in addition to all of the updated functionality and new features.


    10.0.4 is still a supported version (for a few more months). Currently, from the 10.0.x Supported Platforms page, ES 5.4, 5.6, 6.2, 6.8 are the only supported versions. I checked with our engineering team and they're actively testing ES 6.8.22 which is the fixed release for Elastic Log4j in the 6.x train. More information on that coming as soon as testing is complete. 

Children