cancel
Showing results for 
Search instead for 
Did you mean: 
Rolf (Team Jansen)
FreeFlow User

log4shell / log4j - issue – What to do?

A Tool (https://github.com/mergebase/log4j-detector) found out, that FFC uses the critical java-logging-library (in the version 1.2.14 resp. 1.2.17).

We have one server for XMPie where FFC is installed and accessible via Internet. What's the best practice for now – Turn off FFC and waiting for an update?! Or is it safe?

Many thanks in advance for any answer!

Rolf

0 Kudos
2 Replies
Michael325861-xrx
FreeFlow Production Workflow Moderator
FreeFlow Production Workflow Moderator

Re: log4shell / log4j - issue – What to do?

Xerox is aware of the issue and is actively working on a patch for FreeFlow Core, which is expected to be available next week (week of 12/20). Until that time, we recommend isolating FreeFlow Core from the public Internet. 

Please check the "Banner" announcement in this forum and Xerox.com > All Support & Drivers for availability.

0 Kudos
Michael325861-xrx
FreeFlow Production Workflow Moderator
FreeFlow Production Workflow Moderator

Re: log4shell / log4j - issue – What to do?

It has been determined that FreeFlow Core is not affected by the Log4j issue.

You can find the state of compliance as it relates to the Log4J issue for all Xerox products by refering to the Xerox Special Bulletin Regarding CVE-2021-44228  on the Xerox Security website at https://security.business.xerox.com/en-us/documents/bulletins/

The Bulletin is updated daily so please check regularly.

0 Kudos