Take control of your business-critical document processes
Experience the power and flexibility of uniFLOW sysHUB
Integrate. Automate. Monitor.

This section provides an overview of all critical uniFLOW sysHUB security advisories. For further information regarding these advisories, please get in touch with your local Canon office, authorized reseller, or NT-ware support representative. Access to the NT-ware Knowledgebase is granted to all local Canon offices and authorized resellers to receive more detailed information and patches.

October 2022 | Security Advisory

Security vulnerability in Apache library notification

NT-ware is aware that recently, Apache has released patches for two of their products called “Commons Configurations” and “Commons Text”, both are libraries used by Java developed software. For both libraries, Remote Code Execution vulnerabilities (CVE-2022-33980 and CVE-2022-42889 respectively) are identified that can be misused if the system is directly or indirectly connected to the internet.

Affected version:

2022.1 and 2022.2

Product impact:

  • CVE-2022-33980: not affected, the library is not used in the product.
  • CVE-2022-42889: is a delivered library in the product but not easily exploitable because the affected functions are not actively used in the product.

Required actions:

  • With an abundance of caution NT-ware recommends that customers replace the commons-text.jar from our download portal while the final patch is rolled out in the next Service Release.
  • We will replace the libraries with the next service release in 2022.2.1.

If you require further assistance, please reach out to your Canon consultant for further support.


April 2022 | Security Advisory

Important security advisory on Spring4Shell vulnerability

NT-ware is aware of a new remote code execution vulnerability affecting the Java Spring framework. Named Spring4Shell and tracked under CVE-2022-22965, this vulnerability is in the Java ‘Spring’ library. We actioned our security and development team to investigate, mitigate and communicate our activities. The result of these activities have concluded and are listed below. As it is early in the release of this vulnerability, the information below is subject to change if new exploits are identified.

Below you can find a breakdown of the activity for NT-ware as a company and our individual products:

NT-ware - company

  • All public-facing sites and services have been reviewed and scanned by vulnerability assessment tools and human inspection.
  • Some internal services have been identified as utilizing Spring4Shell. We have taken immediate steps to patch or place mitigation controls in place.

uniFLOW

None of the uniFLOW components are affected:

  • uniFLOW Server, Remote Print Servers, SmartClients, Internet Gateway, Web Submission, and supporting services.
  • uniFLOW Embedded Applets for:

    • Canon MEAP devices
    • varioPrint 140 devices
    • ColorWave/PlotWave printers
    • ScanFront devices
    • Xerox/HP/Samsung/Konica Minolta/Brother/Sharp/OKI/EPSON/Lexmark devices

  • Devices connected with uniFLOW Release Stations

uniFLOW Online/uniFLOW Online Express

None of the uniFLOW Online/uniFLOW Online Express components are affected:

  • The platform itself, SmartClients, and supporting services
  • uniFLOW Embedded Applets for Canon MEAP devices
  • Devices connected with uniFLOW Release Stations

uniFLOW sysHUB

None of the uniFLOW sysHUB (Cosmos) components are affected:

  • While the Spring library is present in the uniFLOW sysHUB (Cosmos) product, we can confirm it is NOT affected by this vulnerability.

    • COSMOS Versions < 2.9 use Java8, a prerequisite is >= Java9
    • Since COSMOS V2.9 and sysHUB 2021, Java11 has been used, but the following bullet points exclude the vulnerability

      • All versions of COSMOS and sysHUB use Jetty instead of Tomcat for the servlet engine
      • All standard web applications are NOT deployed as WAR files
      • Spring-webflux is NOT used in any of the standard web applications

  • Out of an abundance of caution, we will be taking further actions moving forward. Please note there is NO need to perform any patching of existing systems/installations to mitigate the known listed exploits.

    • We will update Spring library to the latest version with sysHUB 2022.1
    • The capability for build pipeline to deploy WAR files will be disabled with sysHUB 2022.1 as well

PRISMAsatellite

None of the PRISMAsatellite components are affected.


December 2021 | Security Advisory

Important security advisory on Apache Log4j vulnerability

A critical vulnerability, CVE-2021-44228, has been identified in the popular Java logging library, Apache Log4j 2, or also referred to as Log4Shell. This has had a devastating impact globally on millions of systems and applications which impacts almost every company in some way.

NT-ware actioned last week our security response plans to investigate, mitigate and communicate our activities. The result of these activities have concluded with that we have no exposed system or products that are susceptible to this vulnerability.

Below you can find a breakdown of the activity for NT-ware as a company and our individual products:

NT-ware - company

  • All public facing sites and services have been reviewed and scanned by vulnerability assessment tools and human inspection.
  • Some internal services have been identified as utilising Log4j. We have taken immediate steps to patch or place mitigation controls in place.

uniFLOW

  • None of the following is affected: uniFLOW Server, Remote Print Servers, SmartClients, Internet Gateway, Web Submission, and supporting services.
  • Embedded applets for devices:

    • uniFLOW MEAP embedded applet for Canon devices – Unaffected
    • uniFLOW embedded applet for VarioPrint devices – Unaffected
    • uniFLOW embedded applet for ColorWave/PlotWave devices – Unaffected
    • uniFLOW embedded applet for ScanFront devices – Unaffected
    • uniFLOW embedded applet for Xerox/HP/Samsung/Konica Minolta/Brother/Sharp/OKI/EPSON/Lexmark devices  – Unaffected
    • Devices connected with Release Stations – Unaffected

uniFLOW Online/uniFLOW Online Express

  • None of the following is affected: the platform itself, SmartClients, and supporting services.
  • Embedded applets for devices:

    • uniFLOW MEAP embedded applet for Canon devices – Unaffected
    • Devices connected with Release Stations – Unaffected

uniFLOW sysHUB

  • Up to and including COSMOS V2.7, log4j Version 1.2.x was used. There is a security flaw found with the JMSAppender. The JMSAppender is not used in COSMOS standard configuration.
  • Since COSMOS V2.8 and sysHUB 2021, log4j Version 2 (version 2.11.0 to Version 2.14.1) is used.
  • CVE-2021-44228 JNDI lookups : lookups via JNDI in COSMOS/sysHUB are blocked by a custom development and end in a system exception message.
  • CVE-2021-45046 DOS attack via patterns: none of the patterns $${ctx:loginId}, %X, %mdc, or %MDC is used in the standard configuration. Please review your log4j configuration in the file config/log4j2.xml to ensure you are not using any of the mentioned patterns (which is the case in all standard configurations).
  • CVE-2021-45105 Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
  • Even with the product not exposed by this vulnerability it is recommended to disable log4j2 lookups as listed below:
    • Edit the <install-folder>\CosmosServer.conf file and for all used Agents the <agent-install-folder>\CosmosAgent.conf
    • Add the line wrapper.java.additional.24=-Dlog4j2.formatMsgNoLookups=true, change the numbering depending on your used wrapper options, in our case we have the entry .24 added
    • Restart the server and all Agents
  • Alternatively, COSMOS and sysHUB installations work with log4j 2.16.0 and with log4j 2.17.0 as well. This version can be downloaded directly from the Apache website and replace the existing version in the ext folder:
    • Stop running servers and agents to be updated
    • Server: replace all ext/log4j*.jar files with the latest version
    • Agent: replace the ext/log4j-core.jar with the latest version but keep the naming without version, file must have the fixed name log4j-core.jar
    • Start running servers and agents
    • The file ant-apache-log4j.jar in the client plugins folder is not a separate log4j library but a connector class from apache ant and must not be changed
    • Log4j properties file win the cosmos-web folder is just a config file to enable loggers and must not be changed
  • COSMOS and sysHUB native Client: A workaround is provided to Canon Software Support, an updated version is available as a patch and a new setup is provided
  • COSMOS and sysHUB Agent: replace the file log4j2-core.jar in the ext folder with the latest version
  • Service Release: Service Releases are available for the supported Versions COSMOS 2.9 and uniFLOW sysHUB 2021 and include the log4j libraries Version 2.17.0. The Service Releases and Installers for new customer installations are available on the customer portal in the Download section.

PRISMAsatellite

PRISMAsatellite does NOT use LOG4J (for Java), but DOES use log4JS (for JavaScript) as a component in the Dashboard. We can confirm that Log4JS (for JavaScript) is used in all versions of PRISMAsatellite, is NOT vulnerable to the LOG4J (for Java) exploit.