2021: Security Advisory: Apache Log4j / Log4Shell
Summary | A critical vulnerability has been identified in the popular Java logging library, Apache Log4j 2, or also referred to as Log4Shell. This has had a devastating impact globally on millions of systems and applications which impacts almost every company in some way. |
Advisory release date | 13th December 2021 |
Product Affected | uniFLOW sysHUB |
Products Reviewed | NT-ware Web Sites, uniFLOW Server, uniFLOW Online and PRISMAsatellite |
CVE | CVE-2021-44228 |
Severity
This CVE has been given a ‘Critical’ severity rating.
Summary of Vulnerability
Below you can find a breakdown of the activity for NT-ware as a company and our individual products:
NT-ware - company
All public facing sites and services have been reviewed and scanned by vulnerability assessment tools and human inspection.
Some internal services have been identified as utilising Log4j. We have taken immediate steps to patch or place mitigation controls in place.
uniFLOW
None of the following is affected: uniFLOW Server, Remote Print Servers, SmartClients, Internet Gateway, Web Submission, and supporting services.
Embedded applets for devices:
uniFLOW MEAP embedded applet for Canon devices – Unaffected
uniFLOW embedded applet for VarioPrint devices – Unaffected
uniFLOW embedded applet for ColorWave/PlotWave devices – Unaffected
uniFLOW embedded applet for ScanFront devices – Unaffected
uniFLOW embedded applet for Xerox/HP/Samsung/Konica Minolta/Brother/Sharp/OKI/EPSON/Lexmark devices  – Unaffected
Devices connected with Release Stations – Unaffected
uniFLOW Online/uniFLOW Online Express
None of the following is affected: the platform itself, SmartClients, and supporting services.
Embedded applets for devices:
uniFLOW MEAP embedded applet for Canon devices – Unaffected
Devices connected with Release Stations – Unaffected
PRISMAsatellite
PRISMAsatellite does NOT use LOG4J (for Java), but DOES use log4JS (for JavaScript) as a component in the Dashboard. We can confirm that Log4JS (for JavaScript) is used in all versions of PRISMAsatellite, is NOT vulnerable to the LOG4J (for Java) exploit.
Â
Affected Versions
Product | Affected versions |
uniFLOW sysHUB |
|
 Â
Fixed Versions
Product | Fix versions |
Versions COSMOS 2.9 and uniFLOW sysHUB 2021 |
|
Â
What You Need to Do
Please review the provided information for mitigation or upgrade of your system.
Mitigation
NT-ware recommend to always update to the latest version but appreciate this is not possible in all situations. Please review the provided ‘in place' mitigations and decide what is best for your environment.
Support
If you have further questions, please contact your Canon / Canon Business Partner representative.
Â
Â