log4shell / log4j - issue – What to do?

Michael325861-xrx · ‎12-16-2021

It has been determined that FreeFlow Core is not affected by the Log4j issue.

You can find the state of compliance as it relates to the Log4J issue for all Xerox products by refering to the Xerox Special Bulletin Regarding CVE-2021-44228 on the Xerox Security website at https://security.business.xerox.com/en-us/documents/bulletins/

The Bulletin is updated daily so please check regularly.

Michael325861-xrx · ‎12-15-2021

Xerox is aware of the issue and is actively working on a patch for FreeFlow Core, which is expected to be available next week (week of 12/20). Until that time, we recommend isolating FreeFlow Core from the public Internet.

Please check the "Banner" announcement in this forum and Xerox.com > All Support & Drivers for availability.

Rolf (Team Jansen) · ‎12-15-2021

A Tool (https://github.com/mergebase/log4j-detector) found out, that FFC uses the critical java-logging-library (in the version 1.2.14 resp. 1.2.17).

We have one server for XMPie where FFC is installed and accessible via Internet. What's the best practice for now – Turn off FFC and waiting for an update?! Or is it safe?

Many thanks in advance for any answer!

Rolf

Re: log4shell / log4j - issue – What to do?

Re: log4shell / log4j - issue – What to do?

log4shell / log4j - issue – What to do?