Message last updated: 15.12.2021 | 7:38 pm
Over the weekend, the German Federal Office for Information Security (BSI) reported a security vulnerability in the log4j software library, which is used for numerous Java applications. The criticality of this vulnerability was rated as very high.
We have analyzed the issue for the ZMI programs (especially ZMI – WebClient) and came to the conclusion that they do not use logging based on “log4j”. Regarding third-party applications, we are in close coordination with the respective manufacturers and publish the corresponding security messages here:
Datafox
Datafox products (Datafox Hardware, the Datafox Communication Library, Datafox Talk and the DatafoxStudioIV) are not affected by the current Log4Shell (CVE-2021-44228) vulnerability.
dormakaba B-COMM
The check of current versions>5.0.0 has shown that none of the affected functions are used by default. Checks of older versions such as 3.18.x and 4.1.3 have also confirmed that none of the affected functions are used.
PCS INTUS COM / DEXICON
The library log4j is used in DEXICON 5.4, as well as the HTTPS server of INTUS COM 3.4 and INTUS COM 3.5. Older versions of DEXICON and INTUS COM do not use this library and are therefore still safe. More information and step-by-step instructions for the vulnerability fix can be found here: https://www.pcs.com/die-pcs/aktuelles/presse-und-news/detailansicht/_/aktuelle-information-zur-sicherheitsmeldung-des-bsi-java-log4j
Uhlmann & Zacher ClexPrime
We use Crystal-Reports.Net exclusively in ClexPrime – Keyvi3 for print-outs and reports. The SAP Crystal Report component installs log4j as well, but according to consultation with SAP, these BusinessObjects/Crystal reports are not affected by the breach, which means that the affected log4j versions are not used at all, according to SAP. In our software itself, log4j, i.e. Java is not present at all and has no reference to log4j in the Crystal reports.
ASTRUM VISIT
The solution is not affected by the vulnerability.
Qognify Cayuga R15, R16, R17
Cayuga uses the Log4j library in core and devicemanagement. We are pleased to announce that patches for these two services are now available. These patches will be automatically downloaded to your Cayuga update server if you have activated the update via the Qognify website. You can find these patches like the other patches in the patch directory. We have replaced the vulnerable versions of Core and Devicemanagement from patch day with today’s patches. Cayuga R14 and earlier versions are not affected by the Log4j vulnerability, so you do not need to do anything for this. After applying the patches to your Cayuga system, Cayuga will no longer provide any means of attack.
TSplus
TSplus uses log4net and not log4j. Therefore, the vulnerability does not apply to the product.
Regardless of this, we recommend that you check in what extent other components in your IT landscape could be affected and which updates / patches are provided for them. Please also note that we cannot make any statements about third-party software (such as payroll software, ERP systems, HRM systems, etc.) that has been connected via interfaces.
For more information on the Log4Shell vulnerability, see:
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2021/211211_log4Shell_WarnstufeRot.html