It seems SAP Hybris eCommerce suite might be affected by Log4j vulnerability that has been discovered recently Due to a bug in Log4j library, a attacker would be able to send a malicious payload to the server hosting a java application which uses log4j library, it has been observed Hybris uses log4j library to log the events as described here – https://help.sap.com/viewer/d0224eca81e249cb821f2cdf45a82ace/1905/en-US/8b2c4a4286691014894a812a097cb276.html .
This clearly illustrates Hybris installations may be vulnerable to Log4j exploit.Till there is proper advisory from SAP Hybris there are couple of workarounds which might be done to mitigate this vulnerability.
Workarounds:
Putting in Firewall rules to block the JNDI request might be a good way to prevent this and along with blocking the outbound requests also.
Another way is to put in a System property like this or change the environment variable as shown below
formatMsgNoLookups=true
LOG4J_FORMAT_MSG_NO_LOOKUPS to true
More about this can be found here – https://logging.apache.org/log4j/2.x/security.html