ABBYY - Log4J Vulnerability

 

On December 10, 2021, a zero-day vulnerability was identified in the Apache Log4j logging software (CVE-2021-44228). The identified vulnerability allows remote code execution by unauthenticated threat actors. The severity of the vulnerability has been deemed critical.

ABBYY is aware of this vulnerability. In response, we immediately mobilized our Information Security and Product Engineering teams to investigate the issue and to determine any impact to ABBYY products.

Actions taken by ABBYY regarding CVE-2021-44228

ABBYY has performed a full review – including source code and production environments – and has determined that its Cloud and on-premise products are NOT affected by this vulnerability with the exception of two db connectors:


Affected components

− DBMS Connector for ABBYY Timeline. While the overall ABBYY Timeline core product is not affected by the log4j vulnerability, an auxiliary component, the db connector uses log4j. To avoid the CVE-2021-44228  vulnerability you should run the command line parameters with java -Dlog4j2.formatMsgNoLookups=true. Please refer to this article for more details.

− ABBYY FlexiCapture connector for Pega. While the overall ABBYY FlexiCapture core product is not affected, the FlexiCapture connector for Pega is affected by the vulnerability. ABBYY is actively developing a patch to address this vulnerability as quickly as possible, and is reaching out to affected customers.

 

CASO Knowledge Base