Apache Tomcat Ghostcat vulnerability for Equitrac Office / Express 5.x
Question:
Is Autostore, Equitrac and/or Output Manager affected by the Log4j vulnerability CVE-2020-1938?
Apache Tomcat Ghostcat vulnerability NVD - CVE-2020-1938 (nist.gov) has been identified. The following information can be used for Equitrac Office and Express to avoid this vulnerability. It only affects the Device Web Service component.
Answer:
Previous instruction on how to resolve this issue has been superceded.
Equitrac Device Web Service does not utilize the AJP feature of Apache Tomcat.
A Hotfix release of Equitrac Device Web Service mitigated this issue, however before patching the DWS service there is a pre-requisite that Equitrac 5.7 Fixpack 1 needs to be applied to all other components (CAS,DCE, DRE etc. - NOT DWS) before applying. This can be downloaded for Equitrac Office or Equitrac Express here.
Once patched, the latest DWS hotfix can then be applied and is available on the ControlSuite and the Log4j vulnerability CVE-2021-44228 - Kofax web page.
Applies to:
| Product | Version |
|---|---|
| Equitrac Office | 5.x |
| Equitrac Express | 5.x |