Update on Apache Log4j2 Vulnerability

by Roger Mak, Chief Customer Success Officer

LOG4J VULNERABILITY

Process Fusion is aware of the severity and the large attack surface of the Apache Log4j2 vulnerability. The remote code execution (RCE) vulnerability threat could potentially affect java and some .Net applications.

We are actively monitoring this issue and are working with our vendor partners to assess the impact and any required remediation.

Before our assessment is complete, please ensure your existing perimeter defense is active and up-to-date to prevent unauthorized entry into your network. Staff must always be vigilant at avoiding cyberattacks like phishing and social engineered attacks.

We will provide further updates as additional information becomes available.


Dec 14th Update:

Process Fusion has reviewed our products, production environment and 3rd party supported products for exposure to the Log4J vulnerability (CVE-2021-44228).  Below is an interim update on the vulnerability status:

Process Fusion Products & Infrastructure

  1. Our cloud products, CapturePoint and UniPrint InfinityCloud have one affected component which has been patched to block the exploit. Both products have been remediated.
  2. Our on-prem products, CapturePoint and UniPrint Infinity are NOT affected.
  3. Our UniPrint vPad and mobile applications are NOT affected.
  4. Our managed service infrastructure, including 3rd party remote management and security tools are either NOT unaffected, or have been patched to block the exploit. Perimeter defenses are operating normally.

Below are impact assessment provided by the respective vendors of our supported products **

  1. Xerox DocuShare and DocuShare Flex – some versions are affected. See details here – https://help.carear.com/hc/en-us/articles/4415942561175
  2. OpenText RightFax – using log4j v1.x, investigation continues
  3. Abbyy – Two components are affected among Abbyy’s products

− DBMS Connector for ABBYY Timeline. While the overall ABBYY Timeline core product is not affected by the log4j vulnerability, an auxiliary component – a DB connector – uses log4j. ABBYY is actively developing a patch to address this vulnerability as quickly as possible and is reaching out to affected customers. In the meantime, customers can run the following command to fix the issue: ‘-Dlog4j2.formatMsgNoLookups=true’.

− ABBYY FlexiCapture connector for Pega. While the overall ABBYY FlexiCapture core product is not affected, the FlexiCapture connector for Pega is affected by the vulnerability. ABBYY is actively developing a patch to address this vulnerability as quickly as possible and is reaching out to affected customers.