A Tool (https://github.com/mergebase/log4j-detector) found out, that FFC uses the critical java-logging-library (in the version 1.2.14 resp. 1.2.17).
We have one server for XMPie where FFC is installed and accessible via Internet. What's the best practice for now – Turn off FFC and waiting for an update?! Or is it safe?
Many thanks in advance for any answer!
Xerox is aware of the issue and is actively working on a patch for FreeFlow Core, which is expected to be available next week (week of 12/20). Until that time, we recommend isolating FreeFlow Core from the public Internet.
Please check the "Banner" announcement in this forum and Xerox.com > All Support & Drivers for availability.
It has been determined that FreeFlow Core is not affected by the Log4j issue.
You can find the state of compliance as it relates to the Log4J issue for all Xerox products by refering to the Xerox Special Bulletin Regarding CVE-2021-44228 on the Xerox Security website at https://security.business.xerox.com/en-us/documents/bulletins/
The Bulletin is updated daily so please check regularly.