Compart - Document- and Output-Management

Customer Information on CVE-2021-44228
("Log4j2/Log4Shell Vulnerability")

Dear Compart customers,

As you may have heard from the press, a vulnerability in a widely used open source Java library (Log4j2) was recently discovered and published as CVE-2021-44228. Immediately after this security vulnerability became known on December 10, 2021, Compart began investigating possible effects on its products and taking counter measures.

 

Which Compart products are affected?

One Compart product uses the library affected by the security vulnerability (Log4j2 <= 2.14.1). The affected product is:

  • DocBridge® Impress Designer up to and including version 2.0.1

 

What actions is Compart taking to mitigate the risk?

DocBridge® Impress Designer up to version 2.0.1

  • Compart recommends to upgrade to the latest version of DocBridge® Impress Designer as soon as possible. Versions later than 2.0.1 are supplied as a plug-in for DocBridge® Central and are not affected by the security gap in Log4j2.
  • Impress Designer Plugin Version 4.0.1 is currently available. The installation takes place as an NPM package, which is available to Compart customers via our NPM registry (https://reg-npm.compart.com/).
  • In the short term and until the upgrade is installed, Compart recommends that customers implement the countermeasures mentioned here https://logging.apache.org/log4j/2.x/security.html. With regard to the selection of the appropriate short-term countermeasure, please note that version 2.0.1 of DocBridge® Impress Designer uses Log4j v2.13.3. Even older versions use Log4j v.2.8.2.

What about other products such as DocBridge® Pilot or DocBridge® Mill?

  • Products other than DocBridge® Impress Designer (up to version 2.0.1) are not affected by CVE-2021-44228.

What else is Compart doing to minimize the risk posed by Log4j2?

Immediately after the security gap became known, all internal IT systems were checked for vulnerability in addition to our own software, the recommended counter measures were initiated and available patches were installed. We will continue to monitor the situation closely and inform our customers promptly if new information becomes available.

We Are Here to
Answer Your Questions