Apache Log4j Vulnerability Statement
Apache Log4j Vulnerability Statement
We understand that keeping your business running and protecting your services is a priority. One that we here at Pro2col share. Our in-house technical team has been carefully monitoring the issues surrounding the global Log4j vulnerability to ensure that our services are not impacted.
To maintain our business continuity we have conducted an audit of all the systems and 3rd party tools leveraged within Pro2col, to establish and eliminate any risk posed by Log4j exposure.
We have not identified any Log4j vulnerabilities in these systems. We continue to monitor the situation and are having ongoing conversations with our suppliers to ensure this remains the case. We’ve dedicated technical resource to ensure that any patches or fixes issued by our software providers are implemented promptly.
As well as maintaining our business continuity, we aim to provide all of our customers with the most-up-to-date advice and information from our vendor partners. Our technical team are liaising directly with the technical and security teams at our vendors to ensure we can pass on information about risks and mitigations at pace.
You can see all of the current responses and fixes from our vendor partners listed below. We will update this page with the latest information as we receive it.
ArcESB / CData
ArcESB 2020 and releases of RSSBus Connect prior to this (RSSBus Connect 2016 through 2019) do not contain any references to log4j and are unaffected by this vulnerability. Similarly, the 2021 release of ArcESB for Windows includes no assemblies that contain the log4j vulnerability. If you are using the Windows/.NET edition of ArcESB or a Java release before 21.0.7963.0, you can proceed without changes. In recent releases of the Java version of ArcESB 2021 (21.0.7963.0 and later), support was added for a Kafka connector (a connector for integrating with Apache Kafka), which does embed the log4j-1.2.17.jar where a security vulnerability has been found. A review from our development team concludes that we don’t believe this code is exploitable; nevertheless we will be making new builds of the Kafka JDBC driver available soon that removes this embedded jar. Users of the existing distribution of ArcESB 2021 Java Edition (21.0.7963.0 and later) can remove the cdata.jdbc.apachekafka.jar from the lib folder of their Java servlet container to remove any doubt about the presence of the vulnerability.
SFT / Biscom
Biscom software is not affected by the exploit in any way.
Biscom Security Teams are aware of the log4j zero day exploit (CVE-2021-44228) that has been announced. There is no known impact to our software and services. Within our cloud services we have implemented proactive mitigation measures as we continue to monitor and investigate the situation.
We are monitoring the situation and continuing our investigation for any impact. So far our finding is that the Java class that is at the root of this issue was added in log4j 2.0, so previous versions will not be affected by this specific exploit. Regardless, we are working on upgrading the logging library. Please let us know if you have any questions.
EFT Enterprise, EFT Express / Globalscape
We have received confirmation from our engineering team. We are not vulnerable to this attack vector based on the version of log4j that is used by DMZ gateway. The exploit affects Log4j versions 2.0-beta9 up to 2.14.1. DMZ gateway uses log4j version 1.2.16. If there are any further questions, please let us know.
Cornerstone, Titan, WebDrive / SRT
After a thorough review, our SRT Development team has confirmed that our product suite consisting of Cornerstone MFT, Titan FTP and WebDrive are not susceptible or impacted in any way by the latest Apache Log4j2 (CVE-2021-44228) vulnerability. Our product suite does not leverage or use Apache or Java in any capacity.
Automate, JAMS / HelpSystems
On December 10 NIST published CVE-2021-44228 in response to the open-source Apache “Log4j” utility.
HelpSystems is actively monitoring this issue, investigating the potential impact on our products,
and assembling the appropriate mitigations.
At this time, Automate and JAMS is not impacted by this vulnerability because the software does not use the Log4j library.
If you need additional details or assistance, please contact support at firstname.lastname@example.org
GoAnywhere MFT / HelpSystems
On December 10 NIST published CVE-2021-44228 in response to the open-source Apache “Log4j2″ utility. HelpSystems is actively monitoring this issue, investigating the potential impact on our products, and assembling the appropriate mitigations.
While the Log4j zero-day vulnerability does not appear to affect all Java versions, mitigation steps have been issued for GoAnywhere MFT.
Clearswift / HelpSystems
On December 10, NIST published CVE-2021-44228 in response to the open-source Apache Log4j utility. HelpSystems is actively monitoring this issue, investigating the potential impact on our products, and assembling the appropriate mitigations.
HelpSystems has confirmed that the following versions of the Clearswift Secure Gateway are impacted.
Clearswift Secure Email Gateway v5.3.0
Clearswift Secure Exchange Gateway v5.3.0
Clearswift Secure Email Gateway v5.4.0
Clearswift Secure Exchange Gateway v5.4.0
Clearswift Secure ICAP Gateway v5.4.0
Clearswift v5.4.1 not only resolves this issue by replacing the vulnerable version of Apache Log4j with the latest release, 2.15.0, but also includes an improved integration with O365, improved spam and various bug fixes.
Clearswift v5.4.1 is now available via the product cockpit interface.
Update: December 14, 2021
At Axway, trust is our #1 value and we take the protection of our customers’ data very seriously. We are aware of the recently disclosed Apache Log4j2 vulnerability (CVE-2021-44228).
Axway is working around the clock to patch any Axway product and services that either use the vulnerable component Log4j2 or provide it to customers. If Axway becomes aware of unauthorized access to customer data, we will notify impacted customers without undue delay.
Updates are posted to https://support.axway.com/news/1331/language/en/lang/en and updated regularly as additional information becomes available.
For more information, please review CVE-2021-44228 here and the Apache Log4j2 post: (https://logging.apache.org/log4j/2.x/index.html).
If you have any questions or concerns, please reach out to your Axway Account Executive or Customer Success Manager.
We appreciate your trust in us as we continue to make your success our top priority.
Update: December 13, 2021
On December 9, 2021 Progress Software was made aware of a critical vulnerability in a common Java logging library call Log4j. Links to additional resources describing the vulnerability and its origin are included at the end of this post.
None of the currently supported versions of WS_FTP Server or WS_FTP Pro are impacted by this vulnerability as they do not contain Log4j as part of the shipped code. Please check the WS_FTP Product Support Lifecycle page and ensure you are on a supported version of WS_FTP.
BAM / Accolm
Update: December 13, 2021
“In response to CVE-2021-45046 released by NIST on December 14, 2021, the Accolm team have listed mitigation steps that need to be followed to address the Apache Log4j 2.x vulnerability issue to protect your BAM. These steps are in the attached file.
These mitigation steps are only applicable to BAM version 6.5 and 6.6 RC.
We will keep you up to date with any further developments.