We will be transitioning to a new and improved knowledge base in the near future. Stay tuned here for updates as we prepare for launch.

What's the Problem?

In the first half of December 2021 a vulnerability of the popular log4j (version 2) library was exposed. Log4j is a component that many Java applications use for logging functionality. The vulnerability can be exploited for Remote Code Execution (RCE). Needless to say a very serious risk like this on a very popular library causes quite a shockwave in the Java world.

Does Xpertdoc Smart Flows Use log4j 2?

Xpertdoc Smart Flows does not  use log4j 2 directly, but uses another component called Spring Boot, that has a dependency on log4j 2. The current version of log4j used in Smart Flows' Spring Boot component is 2.13, which indeed has said vulnerability. However, the vulnerability can be exploited only if Spring Boot uses log4j as its default logging mechanism, which is not the case with Xpertdoc Smart Flows. 

Based on the current information, the vulnerability is there but cannot be exploited.

UPDATE 2021/12/22 - Nevertheless, we have shipped a new version of Xpertdoc Smart Flows that does not expose customers to the vulnerability at all, by making sure all underlying components make use of log4j version 2.17 or higher. It is recommended to update to Xpertdoc Smart Flows 4.12.4.4 or higher. 

What If I Use Xpertdoc Smart Flows in the Cloud?

The vulnerability can only be exploited on certain versions of the Java SE Development Kit (JDK). Based on the information we have at this point, our cloud infrastructure runs a JDK version that is not under threat of vulnerability exploitation. 

UPDATE 2021/12/22 - Nevertheless, we will update our cloud environments to a version of Xpertdoc Smart Flows that does not expose customers to the vulnerability at all, by making sure all underlying components make use of log4j version 2.17 or higher. All shared cloud environments will receive a silent update to version of Smart Flows (4.12.4.4 or higher). All private cloud environments will receive a recommendation to update.

What if I Use Xpertdoc Smart Flows on Premises?

If you have an on prem deployment of Xpertdoc Smart Flows, we would like to recommend you to update the Java JDK on your Smart Flows servers to version 11.0.2 or a higher version of JDK11, as mentioned on the Requirements page.

UPDATE 2021/12/22 - We have shipped a new version of Xpertdoc Smart Flows that does not expose customers to the vulnerability at all, by making sure all underlying components make use of log4j version 2.17 or higher. It is recommended to update to Xpertdoc Smart Flows 4.12.4.4 or higher, available on my.xpertdoc.com.

What if I Use Other Xpertdoc Products?

Xpertdoc Smart Flows is Xpertdoc's only supported Java application. All other Xpertdoc products are not affected by the log4j vulnerability.

     

  


  • No labels
We will be transitioning to a new and improved knowledge base in the near future. Stay tuned here for updates as we prepare for launch.