0
Crystal Reports:
Java Licensing & Log4j Vulnerability
SYSPRO Technical Article
Last Published: December 2023
SYSPRO ERP
Copyright © 2023 Syspro Ltd. All rights reserved. All trademarks are recognized.
SYSPRO Statement: Crystal Reports: Java Licensing &
Log4j Vulnerability 1
SYSPRO Help and Reference
Copyright © 2023 SYSPRO Ltd
All rights reserved
No part of this document may be copied, photocopied, or reproduced in any form or by any
means without permission in writing from SYSPRO Ltd. SYSPRO is a trademark of SYSPRO
Ltd. All other trademarks, service marks, products or services are trademarks or registered
trademarks of their respective holders.
SYSPRO Ltd reserves the right to alter the contents of this document without prior notice.
While every effort is made to ensure that the contents of this document are correct, no
liability whatsoever will be accepted for any errors or omissions.
This document is a copyright work and is protected by local copyright, civil and criminal law
and international treaty. This document further contains secret, confidential and proprietary
information belonging to SYSPRO Ltd. It is disclosed solely for the purposes of it being used
in the context of the licensed use of the SYSPRO Ltd computer software products to which it
relates. Such copyright works and information may not be published, disseminated,
broadcast, copied or used for any other purpose. This document and all portions thereof
included, but without limitation, copyright, trade secret and other intellectual property rights
subsisting therein and relating thereto, are and shall at all times remain the sole property of
SYSPRO Ltd.
SYSPRO ERP
Copyright © 2023 Syspro Ltd. All rights reserved. All trademarks are recognized.
SYSPRO Statement: Crystal Reports: Java Licensing &
Log4j Vulnerability 2
Contents
Introduction ................................................................................................................................... 3
Audience ................................................................................................................................................. 3
Background .................................................................................................................................... 3
Java Licensing and Log4J Vulnerability: Clarifications for SYSPRO Users ...................................... 3
Statement from SYSPRO: Java Licensing .................................................................................... 4
What does SAP Product Support say? ................................................................................................ 4
Statement from SYSPRO: Log4j vulnerability ............................................................................ 5
Does this vulnerability affect SYSPRO? .............................................................................................. 5
Why does it not affect SYSPRO? .......................................................................................................... 5
FAQs ................................................................................................................................................ 6
Java .......................................................................................................................................................... 6
Why does SYSPRO ship Java? ..................................................................................................... 6
Which version of Java is shipped with SYSPRO? ...................................................................... 6
Does SYSPRO support newer versions of Java? ...................................................................... 6
Are there any plans to support more current versions of Java? ........................................... 6
Can SYSPRO clients upgrade from JRE 8u66 to a newer version of Java? ........................... 6
Can customers use a different version of Java than what is shipped with SYSPRO? ........ 7
How should customers handle Java updates and potential security concerns? ................ 7
Reporting and Drivers .......................................................................................................................... 8
When should I use client or server-side reporting, and which driver should I choose? ... 8
How does switching to the SQL driver for client-side reporting affect performance and
functionality? ................................................................................................................................ 8
How do I switch between client-side and server-side reporting? ......................................... 9
General ................................................................................................................................................... 9
What if I have more questions? ................................................................................................. 9
SYSPRO ERP
Copyright © 2023 Syspro Ltd. All rights reserved. All trademarks are recognized.
SYSPRO Statement: Crystal Reports: Java Licensing &
Log4j Vulnerability 3
Introduction
AUDIENCE
This statement is aimed at the entire SYSPRO community.
This includes SYSPRO end-users, partners and SYSPRO personnel.
Background
JAVA LICENSING AND LOG4J VULNERABILITY: CLARIFICATIONS FOR
SYSPRO USERS
In 2018, Oracle announced its intention to charge business users for utilizing Java technology. This
shift in Java licensing raised concerns among users of Crystal Reports technology, an integral part
of the SYSPRO installation. Crystal Reports, maintained and supported by SAP Business Objects, is
a crucial component for client and server-side reporting in SYSPRO 8 and previous versions.
Parallel to the Java licensing developments, a significant security concern emerged in late 2021. A
widely used Java library, Log4j, known for its logging capabilities in Java applications, was found to
have a severe vulnerability. This vulnerability, easily exploitable by malicious entities, posed a
global threat due to the library's extensive usage.
Amidst these developments, it's crucial to address the implications for SYSPRO users.
Despite Crystal Reports incorporating the Log4j library, which harbors this vulnerability, we assure
our users that this specific library is not employed by the Crystal Reports BI technology included
with SYSPRO.
This document aims to clarify these concerns, ensuring that SYSPRO users remain informed about
their software's security and licensing status.
SYSPRO ERP
Copyright © 2023 Syspro Ltd. All rights reserved. All trademarks are recognized.
SYSPRO Statement: Crystal Reports: Java Licensing &
Log4j Vulnerability 4
Statement from SYSPRO: Java Licensing
Crystal Reports 2013 SP 8, Crystal Reports 2016, and Crystal Reports 2020 as included in the
SYSPRO installation, does not require additional payments, over-and-above existing license fees
due to SYSPRO.
It should be noted that Crystal Reports has an embedded version of Java and this runtime is not
chargeable by Oracle.
WHAT DOES SAP PRODUCT SUPPORT SAY?
We have confirmation from Support Engineers at SAP Product Support that there is an SAP
Knowledge Base Article (KBA) number 2652335 that contains a statement indicating that there
are no additional payments due when using Java compatible with:
▪ SAP Crystal Reports 2013 SP 8, Crystal Reports 2016 or Crystal Reports 2020
▪ SAP Crystal Reports Runtime engine for .NET Framework (32 bit)
(The native XML driver is used with this runtime)
▪ SAP Crystal Reports Server 2013 SP 8 OEM Edition
(The native XML driver is used with this run time)
▪ SAP BusinessObjects BI Platform .NET SDK Redistributable 4.2 (32 bit and 64 bit)
In all cases, Crystal Reports 2013, 2016 and 2020 are supported without additional charges.
SYSPRO ERP
Copyright © 2023 Syspro Ltd. All rights reserved. All trademarks are recognized.
SYSPRO Statement: Crystal Reports: Java Licensing &
Log4j Vulnerability 5
Statement from SYSPRO: Log4j vulnerability
DOES THIS VULNERABILITY AFFECT SYSPRO?
The answer is no.
WHY DOES IT NOT AFFECT SYSPRO?
SYSPRO uses SAP BusinessObjects BI 4.1 for Crystal Reports 2013 and SAP BusinessObjects BI 4.2
for Crystal Reports 2016. These product lines are not impacted by CVE-2021-44228.
On December 15, 2021, SAP BusinessObjects released 3129956 KB article confirming that SAP
BusinessObjects Business Intelligence platform is not affected by the CVE-2021-44228 Log4j
vulnerability.
See screen image taken from their web site December 2021:
The impacted component resides in the main JNDI package which is not used in the SAP
Business Objects BI platform.
The Log4j file can be deleted from a customer’s environment without affecting the operation of
Crystal Designer within SYSPRO. The file is not used, merely packaged with the Crystal Report
Designer files.
SYSPRO ERP
Copyright © 2023 Syspro Ltd. All rights reserved. All trademarks are recognized.
SYSPRO Statement: Crystal Reports: Java Licensing &
Log4j Vulnerability 6
FAQs
JAVA
WHY DOES SYSPRO SHIP JAVA?
SYSPRO includes Java to support customers who use Additional Reporting Software 2020 (i.e.,
SAP Crystal Reports 2020) for client-side printing with an XML driver.
It is important to note that Java is not required for using the SQL driver, either for client or server-
side printing.
Note: Server-side reporting, client-side reporting using SQL, and the report designer
utilize a SAP-specific version of Java.
WHICH VERSION OF JAVA IS SHIPPED WITH SYSPRO?
SYSPRO 8 includes Java 8 Update 66 and Java 8 Update 102 (64-bit), specifically for use with the
Additional Reporting Software 2020 (i.e., SAP Crystal Reports 2020):
SYSPRO is licensed to distribute these Java versions, ensuring no additional license costs for our
end-users.
DOES SYSPRO SUPPORT NEWER VERSIONS OF JAVA?
Although SYSPRO is not licensed to ship versions of Java later than Java 8 Update 66 or Java 8
Update 102 (64-bit), the SYSPRO development team tested Java 8 Update 391 during November
2023 and confirmed that it works as expected.
However, it is important to note that not all versions have been tested and verified to work with
the product. Therefore, there may be cases where the native XML driver fails to work with a newer
Java version.
ARE THERE ANY PLANS TO SUPPORT MORE CURRENT VERSIONS OF JAVA?
Currently, there are no plans to upgrade the version of Java shipped with the SYSPRO product.
CAN SYSPRO CLIENTS UPGRADE FROM JRE 8U66 TO A NEWER VERSION OF JAVA?
Clients are free to upgrade to a newer version of Java. However, it is important to note that we
cannot guarantee the functionality of the native XML driver with versions of Java other than those
shipped or verified.
SYSPRO ERP
Copyright © 2023 Syspro Ltd. All rights reserved. All trademarks are recognized.
SYSPRO Statement: Crystal Reports: Java Licensing &
Log4j Vulnerability 7
CAN CUSTOMERS USE A DIFFERENT VERSION OF JAVA THAN WHAT IS SHIPPED WITH
SYSPRO?
Yes, customers can install their own version of Java. However, it is important that they first
uninstall the previous version.
Therefore, the process to follow is:
1. Uninstall the provided version of Java (i.e., Java 8 Update 66).
2. Obtain a license for the version of Java intended to install.
3. Download and install the respective version on each client PC intending to use the XML
driver.
4. Run a Crystal Report within SYSPRO on each client PC to detect the Java version and update
the CrConfig.xml file to point to the relevant version.
In the event that the CrConfig.xml file fails to update, customers may need to manually update it
with the correct path to their installed java.exe to look as follows:
The CrConfig.xml file can be found in the following location:
C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP
BusinessObjects Enterprise XI 4.0\Java
Note: This update is necessary, particularly when printing an SRS report.
HOW SHOULD CUSTOMERS HANDLE JAVA UPDATES AND POTENTIAL SECURITY CONCERNS?
Various Java update versions may have reported vulnerabilities from time to time. Any potential
vulnerabilities should be periodically reviewed for relevance. When required, customers should
consider updating to a more recent version, for which a separate license will be required.
We recommend first running any Java update in a limited (non-production) environment before it
is rolled out to businesses as a whole.
SYSPRO ERP
Copyright © 2023 Syspro Ltd. All rights reserved. All trademarks are recognized.
SYSPRO Statement: Crystal Reports: Java Licensing &
Log4j Vulnerability 8
REPORTING AND DRIVERS
WHEN SHOULD I USE CLIENT OR SERVER-SIDE REPORTING, AND WHICH DRIVER SHOULD I
CHOOSE?
CLIENT-SIDE REPORTING
XML driver: Client-side reporting using the XML driver is best suited for environments that print
reports with formulas to printers that are either dispersed or on different networks.
SQL driver: Client-side reporting using the SQL driver is best suited for environments that have
client logins that print to dispersed printers or printers that span across different networks.
SERVER-SIDE REPORTING
Server-side reporting exclusively makes use of the SQL driver. It should be used in instances of
high-volume printing through centralized printers that are managed on a separate server, or when
using the Web UI instead of the Desktop UI.
HOW DOES SWITCHING TO THE SQL DRIVER FOR CLIENT-SIDE REPORTING AFFECT
PERFORMANCE AND FUNCTIONALITY?
PERFORMANCE
The SQL driver promotes faster previewing and printing when compared to using the native XML
driver.
The processing times when using the native XML driver, however, can be expedited. If required,
refer to Upgrading to SYSPRO Reporting Software 2020.
FUNCTIONALITY
Certain reports, namely those with formulas, can only be printed using the XML driver. Switching
to the SQL driver will therefore prevent these reports from being printed.
You can view a list of the reports that can only use the XML driver from the following file within
your SYSPRO installation:
Base\Store\IMPSRE.IMP
SYSPRO ERP
Copyright © 2023 Syspro Ltd. All rights reserved. All trademarks are recognized.
SYSPRO Statement: Crystal Reports: Java Licensing &
Log4j Vulnerability 9
HOW DO I SWITCH BETWEEN CLIENT-SIDE AND SERVER-SIDE REPORTING?
To switch your reporting from client-side to server-side, proceed as follows:
1. Using the SYSPRO Installer application (SYSPRO Installer), install the SYSPRO 8 Reporting
Host Service.
2. In SYSPRO, open the Setup Options (IMPCFG) program from the Ribbon bar:
a. Navigate to the Reporting form (Categories > System Setup > Reporting).
b. Within the Reporting configuration field, select Server-side reporting using SQL.
c. Select Save and Exit.
The Setup Options window displays, notifying you that your changes will only take
effect after exiting from SYSPRO.
d. Select OK.
e. Exit SYSPRO and re-launch for the change to be effective.
To switch your reporting from server-side to client-side, proceed as follows:
1. Using the SYSPRO Installer application (SYSPRO Installer), install the SYSPRO 8 Reporting
Components required for each client machine.
2. In SYSPRO, open the Setup Options (IMPCFG) program from the Ribbon bar:
a. Navigate to the Reporting form (Categories > System Setup > Reporting).
b. Within the Reporting configuration field, select your preferred option:
▪ Client-side reporting using SQL
▪ Client-side reporting using XML
c. Select Save and Exit.
The Setup Options window displays, notifying you that your changes will only take
effect after exiting from SYSPRO.
d. Select OK.
e. Exit SYSPRO and re-launch for the change to be effective.
GENERAL
WHAT IF I HAVE MORE QUESTIONS?
If you have any additional questions about this complex subject, please speak to your SYSPRO
support partner or regional office.
SYSPRO ERP
Copyright © 2023 Syspro Ltd. All rights reserved. All trademarks are recognized.
SYSPRO Statement: Crystal Reports: Java Licensing &
Log4j Vulnerability 10
