Skip to main content

ControlSuite and the Log4j vulnerability CVE-2021-44228

Article # 3037079 - Page views: 8661


Are ControlSuite, Autostore, Equitrac and/or Output Manager affected by the Log4j vulnerability (CVE-2021-44228)?


Kofax is aware of the recently disclosed Apache Log4j2 vulnerability (CVE-2021-44228), and we are actively analyzing all potential affected Kofax products. Preliminary results show that some Kofax products include the vulnerable component Log4j2, though the component is included it is not used by the software.

Kofax can also confirm that for Log4j 1.x ControlSuite, Equitrac, AutoStore, Output Manager and any Kofax Clients associated with these products, we do not use JNDI or JMSAppender and are therefore not vulnerable.

The following Kofax products are using the potential vulnerable Log4j2 version: 







The listed versions of DWS Include the Log4j 2.13 components, but it is not used by DWS. Kofax has released a new DWS fix which will remove the Log4j components, and the fix can be applied to:

  • Kofax ControlSuite 1.1 Fixpack 5 and above (DWS 5.11.5 and above)
  • Kofax ControlSuite 1.2 and above (DWS 10.2.0 and above)
  • Kofax Equitrac Office\Express Server (Fixpack 1 for EQ5.7 that includes DWS 5.11.6 to update Tomcat)

Download the fix Here and read all installation notes before applying.


Third-party tool is used during the process of deploying certain embedded device clients, and it is this portion of the software that uses the version included in the CVE. Kofax is working with the vendor on a on a resolution.  Note that DRS v7.13.0.2 is not affected.

Mitigation (Please choose one of the below steps):

  • Delete the following files from the system running DRS (do not remove if deploying Ricoh devices). 

    DRS 7.13.X: The folder is “C:\Program Files (x86)\Nuance\Device Registration Service\Service\Plugins\RXOP-SOP”

    DRS in ControlSuite: The folder is “C:\Program Files\Kofax\Device Registration Service\Service\Plugins\RXOP-SOP”
  • Stop the DRS service when not in use (do not stop if using Combined Client).
  • Downgrade to DRS v7.13.0.2.
  • All versions of ControlSuite DRS are not affected

Kofax is in the process of evaluating the usage of log4j2 in the above products and will take all necessary steps to mitigate the issue, and create a patch as soon as possible wherever it is needed


The following Kofax products are NOT using the potential vulnerable Log4j2 version: 

  • Cassandra 
  • Flexera FlexLM:
    • From looking through flexnetls.jar, Flexnet uses log4j-1.2.17.jar.  This version is pre 2.0 so it does not have the vulnerability.
  • Other Equitrac Components
  • Other AutoStore Components
  • Output Manager

Applies to:  

Product Version
AutoStore 7 & 6
ControlSuite 1.x
Equitrac 5.x
Output Manager 4.x