Are intarsys products affected by the security vulnerability?
The BSI has the following security warning published.
The actual problem is explained in a PDF, which is continuously updated on the BSI website.
intarsys products are not affected by the security problem!
You can find the following intarsys products in the supported versions continue to operate without changes:
- Sign Live! CC
- Sign Live! CC DATEV edition
- Sign Live! CC SPARKASSEN edition
- Sign Live! cloud suite bridge
- Sign Live! cloud suite gears
- Sign Live! cloud suite SDK
The Java library that is causing the problem is in these products not .
This also applies to the Archisoft product from FHI-SIT in versions 18.104.22.168 and 22.214.171.124, which is sold by intarsys.
- In Sign Live! cloud suite gears Third-party products used up to version 8.7 are based on the critical Log4j version 2.14, but in the context of gears the dangerous library log4j-core- *. jar neither delivered nor used. There is therefore no potential risk.
- With Sign Live! CC delivered Exampleimplementations (SDK / JMS) use Log4j version 1.x. These are only activated by calling the command line on the system and are also required a special Log4j configuration. They are therefore not considered to be a potential hazard.
Further safety information on the required basic components
tom cat 9 does not use Log4j in its basic configuration without standard and other web apps.
General safety information on the required basic components
Use the JVM in the required version (Java 11, SLcs gears: Java 8) at the most current patch level possible.
The Sign Live! CC / PDF / A Live! integrated JVM fulfills this (Java 11).
For Sign Live! cloud suite gears should be at least Azul JDK 8u312 + .