IMPORTANT information about the critical Log4j vulnerability (CVE-2021–44228)

IMPORTANT information about the critical Log4j vulnerability (CVE-2021-44228)

UPDATE [16 .12.2021]: Information about the critical Log4j vulnerability (CVE-2021–44228)

A re­cent­ly dis­c­lo­sed se­cu­ri­ty vul­nera­bi­li­ty in the pro­gram li­bra­ry “Log4j” threa­tens mil­li­ons of IT sys­tems. We in­for­med you about this se­cu­ri­ty vul­nera­bi­li­ty in con­nec­tion with our QM so­lu­ti­on on Tuesday.

The In­for­ma­ti­on page of the Fe­deral Of­fice for In­for­ma­ti­on Se­cu­ri­ty (BSI) lists ad­di­tio­nal in­for­ma­ti­on on this vulnerability.

The re­view of the po­ten­ti­al­ly af­fec­ted com­pon­ents of d.velop AG is now very ad­van­ced. The con­ti­nuous­ly up­dated in­for­ma­ti­on about the pro­ducts can be found in the Know­ledge Base Ar­ti­cles of d.velop AG. We are con­ti­nuous­ly mo­ni­to­ring the in­for­ma­ti­on pu­blis­hed the­re to as­sess the im­pact on our QM so­lu­ti­on and cur­r­ent­ly as­sess the si­tua­ti­on as follows.

Our QM so­lu­ti­on in­clu­des pro­ducts by d.velop Life Sci­en­ces GmbH and d.velop AG. The pro­ducts by d.velop Life Sci­en­ces GmbH do not use the con­cer­ned li­bra­ry “Log4j” and are the­re­fo­re not af­fec­ted by the vulnerability.

The d.velop AG pro­ducts used to ope­ra­te the QM so­lu­ti­on are also not af­fec­ted by the se­cu­ri­ty vul­nera­bi­li­ty. The­se used pro­ducts of d.velop AG, which are in­stal­led with the in­stal­la­ti­on ac­cord­ing to IQ, are lis­ted in the Know­ledge Base Ar­ti­cle of d.velop AG as not affected.

The men­tio­ning of the d.3 pre­sen­ta­ti­on ser­ver, which is also used for the QM work­flows, re­fers ex­clu­si­ve­ly to cus­to­mer-spe­ci­fic ex­ten­si­ons (Web­Apps) that con­tain the end­an­ge­red ver­si­on of “Log4j” its­elf. Such cus­tom ex­ten­si­ons are not used in our QM so­lu­ti­on. The ver­si­on of the d.3 pre­sen­ta­ti­on ser­ver in­stal­led with the QM so­lu­ti­on uses an unused and ol­der ver­si­on of the li­bra­ry, which is not af­fec­ted by the CVE-2021–44228 vulnerability.

Some cus­to­mers use an in­co­m­ing in­voice so­lu­ti­on in con­nec­tion with d.ecs task, which has been clas­si­fied as af­fec­ted by d.velop AG. If you have not yet con­ta­c­ted us in this re­gard, plea­se con­ta­ct our sup­port or your re­spon­si­ble pro­ject manager.

If you have in­stal­led other d.velop AG pro­ducts in your com­pa­ny, you should ur­gent­ly ob­ser­ve the mea­su­res lis­ted by d.velop AG to eli­mi­na­te the se­cu­ri­ty vul­nera­bi­li­ty if the pro­ducts you have in­stal­led are affected.

Thank you for your at­ten­ti­on and kind regards

Die­ter Schulten

Ma­na­ging Di­rec­tor
d.velop Life Sci­en­ces GmbH

A re­cent­ly dis­c­lo­sed se­cu­ri­ty vul­nera­bi­li­ty in the glo­bal­ly de­ploy­ed pro­gram li­bra­ry “Log4j” threa­tens mil­li­ons of IT sys­tems. Un­for­tu­n­a­te­ly, some d.velop AG pro­ducts are also af­fec­ted by this se­cu­ri­ty vul­nera­bi­li­ty. d.velop AG is al­rea­dy working in­ten­si­ve­ly to iden­ti­fy po­ten­ti­al­ly af­fec­ted com­pon­ents and patch them immedia­te­ly to eli­mi­na­te any risk to systems.

In or­der to keep you per­ma­nent­ly up to date from now on, you will find a new know­ledge base ar­ti­cle of d.velop AG in the d.velop ser­vice por­tal as a cen­tral point of in­for­ma­ti­on. All up­dates on po­ten­ti­al­ly af­fec­ted com­pon­ents, links to the cor­re­spon­ding patches and fur­ther back­ground in­for­ma­ti­on will be pu­blis­hed here. This page is con­ti­nuous­ly up­dated and can be found at this address:

Know­ledge Base Ar­ti­cles from d.velop AG

The Ger­man Fe­deral Of­fice for In­for­ma­ti­on Se­cu­ri­ty (BSI) has pu­blis­hed a red-le­vel se­cu­ri­ty alert for this cri­ti­cal vulnerability.

The In­for­ma­ti­on page of the Fe­deral Of­fice for In­for­ma­ti­on Se­cu­ri­ty (BSI) lists ad­di­tio­nal in­for­ma­ti­on on this vulnerability.

The pro­gram li­bra­ry “Log4j” is a pro­gram li­bra­ry which is used in Java ap­p­li­ca­ti­ons. Ac­cord­ing to the cur­r­ent­ly avail­ab­le in­for­ma­ti­on from BSI, this vul­nera­bi­li­ty is lo­ca­ted in ver­si­ons 2.0 to 2.14.1 of this li­bra­ry. The pro­ducts of d.velop Life Sci­en­ces GmbH do not use this li­bra­ry and are the­re­fo­re not di­rect­ly af­fec­ted by this vulnerability.

Ac­cord­ing to the in­for­ma­ti­on cur­r­ent­ly avail­ab­le to us, the d.3 pre­sen­ta­ti­on ser­ver could pos­si­b­ly be af­fec­ted by this vul­nera­bi­li­ty. This pro­duct of d.velop AG is re­qui­red for the ope­ra­ti­on of the workflows.

As soon as we have re­li­able in­for­ma­ti­on about the af­fec­ted pro­ducts, ver­si­ons and patches of d.velop AG, we will in­form you immediately.

Share now!

Subscribe to the newsletter

You want to stay up to date? Then subscribe to our newsletter.

You want to digitalize your business?

Leave a message. We will get back to you!

Porträt von Mitarbeitern, die im Büro diskutieren