Log4J vulnerability (CVE-2021-4428)

Product Security Statement

The significant security news headline on December 11, 2021 has been the Apache Log4j Remote Code Execution (RCE) vulnerability.  Apache Log4j is a Java-based logging framework used by many applications and distributed under the Apache Software License. This vulnerability was detected on December 9th and Apache published a zero-day vulnerability (CVE-2021-44228) for Apache Log4j version 2.14.1 and below.

After further investigation, we are happy to report that this does not appear to impact any of our current product releases of S4i Express, WebView, DASD Plus, NG, Desktop Capture, SMRTR Compliance, AP Automation with Readsoft Online, Planet Press Suite, Planet Press Connect, Kofax Capture and Kofax Total Agility. 

 

The following products do use or did use Log4j so please review these comments below.

  • Past versions of OL’s Planet Press Connect DID use the Log4j module, this was removed with release 2018.1. So as long as you are running a version of OL Connect that is 2018.1 or later, the vulnerability is not present. Please contact us immediately if you are unsure of your release or have an earlier version of Planet Press Connect. Read More
  • NG has an ElasticSearch database that uses Log4j. However, according to ElasticSearch, they have validated that the vulnerability does not exist due to their use of the Java Security Manager. Read More
  • Desktop Capture also uses Log4j but it is using a version that is not affected by this Remote Code Execution vulnerability. 

 

Additionally, Apache Tomcat is not vulnerable by default, although other products deployed to Tomcat that you may have, could be vulnerable. 

Leave a Reply

Your email address will not be published.