Log4j Vulnerability - Risk Assessment
Please note that Dynamic Imaging Systems (DIS) does not directly incorporate or use the log4j library in our core software application code. However, it is installed and used in some limited fashion by our PositiveID/Distributed Processing software package. While no patch/fix will be required for Picturelink or CorreTrak, we are currently investigating the utilization extent and the risk level within our PositiveID/Distribued Processing software application to determine the best course of action that will mitigate or eliminate risks associated with log4j. Currently, the major, critical vulnerability is contained in log4j library versions 2.0 - 2.15.0. The library version used within PositiveID/Distributed Processing is 1.2.15. Thus, DIS believes the risk level is minimal and does not follow the same critical path as that contained in 2.0 - 2.15.0. Explicit documentation about the security vulnerabilities can be found on the Apache site.
In some other instances where agencies are not using PositiveID/Distributed Processing but Oracle database access is involved, third party software tools may have been installed on servers running DIS software. In order to alleviate security risks, those sites who have Oracle SQL Developer/SOAP tools installed on the server, can safely uninstall these applications, or, schedule a time with one of our technicians to have these applications uninstalled. Your agency will have to grant some other access to your Oracle database, if needed, until such time a fix is provided by the vendors of these third party applications.