Only certain versions of the FORCE MES FLEX solution – namely 5.9 to 5.11 – are affected by the security vulnerability in the JAVA component Log4j. The gap can be closed with a comparatively simple workaround.
Critical JAVA vulnerability in Log4j
Releases of FORCE MES FLEX – Workaround eliminates security risk
A vulnerability is making headlines worldwide: IT teams around the globe have been working at full speed since the weekend to close the security hole in the JAVA component Log4j for their customers. Since last weekend, we at FORCAM are also in the continuous process of finding solutions for our customers following the warning issued by the German Federal Office for Information Security – the Bundesamt für Sicherheit in der Informationstechnik (BSI).
This weekend, the BSI had upgraded the cyber security warning for the vulnerability in the Java library Log4j to red. This means: The IT threat situation is classified as extremely critical, there is a threat of many services failing, and regular operations cannot be maintained.
Worldwide, attacks on IT systems have already been reported. Affected are JAVA based services which use the component “log4j-core” for logging.
Only certain FORCAM releases affected
We could determine that only certain versions in one of our solutions – the FORCE MES FLEX – are affected by the vulnerability in JAVA, namely the releases from 5.9 to 5.11.. For versions smaller than 5.9. as well as for our other solutions we could give the all-clear.
As agreed, all cloud-based FORCAM solutions are automatically maintained by our FORCAM Cloud teams and security gaps are closed.
Nevertheless, we have notified our customers of an urgent need for action in the affected versions of FORCE MES FLEX, both by email and by warning on our customer portal.
Systems affected that use the ffauth service
According to our analysis, systems where the ffauth service is installed are affected. Customers can eliminate the immediate danger by setting a host environment variable on the application server, a comparatively simple process. We have communicated this workaround to customers as an immediate action – along with a hotline from our service and support team in case any questions arise.
Of course, it is important to remain very vigilant and to eliminate this and, if possible, all other security risks, especially in the next planned patches. FORCAM will do this to the best of its knowledge in its proven form.
14. December 2021
Your contact person
You want to know more about the topic? I will be happy to answer any open questions as your contact person. You can reach me at: Norbert.Loeffler@forcam.com
Lead Service & SupportNorbert.Loeffler@forcam.com