Important Notifications and Updates

January 10, 2022: Update Notification for Customers using Cimetrix by PDF connectivity products: Apache Log4J library Vulnerability

Notification for all Cimetrix Sapience customers

Because each customer installs Cimetrix Sapience® in their own unique environment with their own unique access controls and because the PDF Solutions' Cimetrix products team does not manage such installations, we encourage you to re-assess your user’s access to the Sapience software during this mitigation period and act according to your company’s policy.

January 10, 2022

VULNERABILITY: Apache Log4J library vulnerability (CVE-2021-44832) was recently made public (December 28, 2021).

SCOPE / IMPACT: We have confirmed Cimetrix Sapience® Version 3.0 and later is impacted (see recommendations below). We are continuing to assess the vulnerability of other versions and will provide updates as they are available.

FOLLOW-UP / RECOMMENDATIONS:
A. We will continue to publish mitigation recommendations for vulnerabilities as they are identified.
B. For customers using Sapience Version 3.0 or later, patches will be released through the Cimetrix Support site as they become available.

For general information on this vulnerability, please review CVE-2021-44832 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 and the Apache Log4j2 https://logging.apache.org/log4j/2.x/index.html post.

December 21, 2021:

VULNERABILITY: Apache Log4J library vulnerabilities (CVE-2021-44228, CVE-2021-45046) were recently made public (December 10, 2021).

SCOPE / IMPACT: We have confirmed Cimetrix Sapience® Version 3.0 and later is impacted (see recommendations below). We are continuing to assess the vulnerability of other versions and will provide updates as they are available.

FOLLOW-UP / RECOMMENDATIONS:
A. We will continue to publish mitigation recommendations for vulnerabilities as they are identified.
B. For customers using Sapience Version 3.0 or later, patches are available through the Cimetrix Support site.

If you have any specific questions or concerns, please log a case with support@cimetrix.com or contact your Cimetrix Solutions Engineer.

For general information on this vulnerability, please review CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 and the Apache Log4j2 https://logging.apache.org/log4j/2.x/index.html post.

ISSUE: Security experts discovered a high severity security vulnerability with the Apache Log4J library vulnerability (CVE-2021-44228), which was recently made public (December 9, 2021).

SCOPE / IMPACT: In response to this discovery, the following products have been reviewed by Cimetrix engineers and determined that they do not use Java or Apache log4j2.

  • CIMConnect™
  • CIM300™
  • CIMPortal™ Plus
  • CIMControlFramework™ (CCF)
  • Cimetrix HostConnect™
  • EDAConnect™
  • Cimetrix EquipmentTest™
  • Cimetrix EDATester™
  • ECCE™ Plus
  • SECSConnect™

FOLLOW-UP / RECOMMENDATIONS: No additional action is required