This security advisory provides customers with an update on how Nedap Identification products and services are affected by the Apache Log4j vulnerability (CVE-2021-44228). This vulnerability has been referred to as Log4Shell by some outlets.
What is this vulnerability?
A Remote Code Execution (RCE) vulnerability was discovered in the popular Java logging library, Log4j. This industry-wide security vulnerability allows for an unauthenticated adversary to execute code on systems that have this library deployed, by providing specific crafted content. This is a serious vulnerability that affects many software products and online services.
How does this vulnerability affect Nedap Identification Systems?
Nedap Identification Systems does not utilize the Apache Log4j in it's hardware products (e.g. uPASS, TRANSIT, NVITE and ANPR).
However our software services MOOV and SENSIT are using Apache Log4j, in response we immediately investigated the use of Log4j across our platforms. As a result:
- We implemented the vendor-provided update to our MOOV and SENSIT applications, and rolled this out to all applications running on our servers.
We are continuing to monitor this issue and will determine whether additional action is required
What actions should I take?
- Users of our services do not need to take any action at this time.
- We strongly recommend partners who developed integrations with our platform API's, to evaluate their own software for this vulnerability.
If use of a vulnerable version is identified, we strongly recommend upgrading to the fixed version provided by the Apache Software Foundation, or implementing a vendor-recommended mitigation.
Where can I find more information?
Additional information on this vulnerability can be found here:
- Apache Software Foundation: Apache Log4j Security Vulnerabilities
- National Vulnerability Database: CVE-2021-44228