UPDATE [16 .12.2021]: Information about the critical Log4j vulnerability (CVE-2021–44228)
A recently disclosed security vulnerability in the program library “Log4j” threatens millions of IT systems. We informed you about this security vulnerability in connection with our QM solution on Tuesday.
The Information page of the Federal Office for Information Security (BSI) lists additional information on this vulnerability.
The review of the potentially affected components of d.velop AG is now very advanced. The continuously updated information about the products can be found in the Knowledge Base Articles of d.velop AG. We are continuously monitoring the information published there to assess the impact on our QM solution and currently assess the situation as follows.
Our QM solution includes products by Digital Life Sciences GmbH and d.velop AG. The products by Digital Life Sciences GmbH do not use the concerned library “Log4j” and are therefore not affected by the vulnerability.
The d.velop AG products used to operate the QM solution are also not affected by the security vulnerability. These used products of d.velop AG, which are installed with the installation according to IQ, are listed in the Knowledge Base Article of d.velop AG as not affected.
The mentioning of the d.3 presentation server, which is also used for the QM workflows, refers exclusively to customer-specific extensions (WebApps) that contain the endangered version of “Log4j” itself. Such custom extensions are not used in our QM solution. The version of the d.3 presentation server installed with the QM solution uses an unused and older version of the library, which is not affected by the CVE-2021–44228 vulnerability.
Some customers use an incoming invoice solution in connection with d.ecs task, which has been classified as affected by d.velop AG. If you have not yet contacted us in this regard, please contact our support or your responsible project manager.
If you have installed other d.velop AG products in your company, you should urgently observe the measures listed by d.velop AG to eliminate the security vulnerability if the products you have installed are affected.
Thank you for your attention and kind regards
Dieter Schulten
Managing Director
Digital Life Sciences GmbH
A recently disclosed security vulnerability in the globally deployed program library “Log4j” threatens millions of IT systems. Unfortunately, some d.velop AG products are also affected by this security vulnerability. d.velop AG is already working intensively to identify potentially affected components and patch them immediately to eliminate any risk to systems.
In order to keep you permanently up to date from now on, you will find a new knowledge base article of d.velop AG in the d.velop service portal as a central point of information. All updates on potentially affected components, links to the corresponding patches and further background information will be published here. This page is continuously updated and can be found at this address:
Knowledge Base Articles from d.velop AG
The German Federal Office for Information Security (BSI) has published a red-level security alert for this critical vulnerability.
The Information page of the Federal Office for Information Security (BSI) lists additional information on this vulnerability.
The program library “Log4j” is a program library which is used in Java applications. According to the currently available information from BSI, this vulnerability is located in versions 2.0 to 2.14.1 of this library. The products of Digital Life Sciences GmbH do not use this library and are therefore not directly affected by this vulnerability.
According to the information currently available to us, the d.3 presentation server could possibly be affected by this vulnerability. This product of d.velop AG is required for the operation of the workflows.
As soon as we have reliable information about the affected products, versions and patches of d.velop AG, we will inform you immediately.