October release
November 2, 2021December release
December 21, 2021Description
Scanshare is aware of the recently reported Apache Log4j vulnerability classified as critical and tracked as CVE-2021-442288.
Current products
No current Scanshare products are impacted by the Apache Log4j vulnerability because no product makes use of the Log4j library.
Scanshare highly suggests to keep the software always up-to-date.
Older products
In older versions of Scanshare (< 21.03) an older version of Log4j (v1.2.16) could be found in the Samsung XOA Web client component.
According the Apache security bulletin: Log4j 1.x does not have Lookup so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: Audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
Scanshare Samsung XOA Web client makes no use of the JMSAppender hence neither older products are impacted by the Apache Log4j vulnerability.
Since Scanshare v5.21.03 Samsung XOA Web client is no longer included in the product installer.