Skip to main content

ControlSuite and the Log4j vulnerability CVE-2021-44228

Apache Log4j-core vulnerability (CVE-2021-44228)
Article # 3037079 - Page views: 13980


Are ControlSuite, Autostore, Equitrac and/or Output Manager affected by the Log4j vulnerability (CVE-2021-44228)?


Kofax is aware of the recently disclosed Apache Log4j-core vulnerability described in CVE-2021-44228, It affects only version 2.00 through version 2.15 and we have analyzed all affected products.  Apache have now resolved this vulnerability in versions 2.16.0 and above. 

Results show that some Kofax products have included the libraries containing the vulnerable component Log4j-core 2.x. In all cases our software does not use it, we confirm they do not use the affected components (including JNDI, SocketServer, Websockets or JMSAppender) and are therefore not vulnerable.

Kofax have now released Hotfixes that remove the vulnerability and remove the unaffected libraries.   

For products containing the earlier version Log4j-core 1.x files that is not known to be vulnerable,  however may be detected by security scans as an obsolete version

The following Kofax products have been identified to include the potential vulnerable Log4j-core 2.x files: 




Device Web Service (DWS)



The listed version of DWS Include the Log4j-core 2.13 components, but it is not used by DWS.

Mitigation :

Kofax has released a new DWS fix which will remove the Log4j components, and the fix can be applied to:

  • Kofax Equitrac Office\Express Server (Fixpack 1 for EQ5.7 that includes DWS 5.11.6 to update Tomcat). Update components except DWS to this version and then upgrade DWS as below. 

Download the fix here to replace the DWS.msi included in Fixpack 1 and read all installation notes for Fixpack 1 before applying. The Configuration Assistant included in  Fixpack 1 will be required to safely migrate all devices to the new version of DWS.

For Equitrac, if DWS is installed on a drive other than C follow EO/EE: Upgrading DWS To the latest version (installations on a non C: drive) - Kofax for instructions to ensure devices are retained in DWS


Device Web Service (DWS)



The listed version of DWS Include the Log4j-core 2.13 components

ControlSuite 1.2 Fixpack 5 is now released. This will include log4j-core version 2.17.1 as per DRS

ControlSuite 1.3 is now released. It also includes log4j-core version 2.17.1 as per DRS

Device Registration Service (DRS)









Used with pre-ControlSuite versions of Equitrac, AutoStore and Output Manager

A third-party tool is used during the process of deploying certain embedded device clients, and it is this portion of the software that uses the version included in the CVE. Note that DRS v7.13.0.2 versions and below are not affected.

Mitigation :

Kofax has now released a new version of DRS that is not affected by log4j-core as it uses version 2.17.1. 

Device Registration Service (DRS)



This version of the software uses the log4j-core version 1.2.17. This version (and below) is not known to be vulnerable but may be detected by scans as an obsolete version

ControlSuite 1.2 Fixpack 5 is now released. This will use log4j-core version 2.17.1 as per DRS

ControlSuite 1.3 is now released. It also includes log4j-core version 2.17.1 as per DRS


Kofax continue to evaluate the usage of log4j2-core in the above products and will take all necessary steps to mitigate any issue, and create a patch as soon as possible wherever it is needed.

The following Kofax products are NOT using the potential vulnerable Log4j2-core version: 


  • ControlSuite Security Framework is supplied with Apache Cassandra Version 3.11. 

    • Cassandra uses log4j-over-slf4j, version 1.7.7.  Cassandra does not use full log4j-core.
    • Security scans stating that log4j should be updated to version 2.16 or later only applies to software which utilizes log4j-core.
    • Log4j-over-slf4j does not contain the full version of log4j-core and does not use the JNDI lookup mechanisms that exposed the vulnerability in log4j2
    • Cassandra’s use of log4j-over-slf4j uses ‘logback’ and not ‘log4j’, therefore it is not vulnerable in Cassandra .

Flexera FlexLM:

  • ControlSuite 1.3 Fixpack 1 is now released, Flexnet no longer utilises any log4j functionality and therefore is not vulnerable
  • ControlSuite 1.2 Fixpack 3.Licensing is supplied with Flexera version 2021.09.00. 
    • Flexera 2021.09.00 contains log4j-core 1.2.17 files as part of its dependencies.  This version of log4j is not vulnerable to CVE-2021-4422.  Flexera does not enable SocketServer, Websockets, JMSAppender in their default configuration.  Also all logging is disabled by default.
    • Security scans stating that log4j should be updated to version 2.16 can be resolved by upgrading Kofax Controlsuite to version 1.3 Fixpack 1

Other Applications

  • All Other Equitrac  Autostore and Output Manager Components do not contain or use log4j libraries.

Applies to:  

Product Version
AutoStore 7 & 6
ControlSuite 1.x
Equitrac 5.x
Output Manager 4.x




Article # 3037079