Morita Systems and the Log4j Security Vulnerability

· By now, many of you have seen the news about a serious software vulnerability that affects many computer systems all over the world. We at Morita, would like to reassure you that our software is unaffected and for more details, please read the article below.


Many websites and news outlets are sharing news about a serious software vulnerability that affects many systems all over the world. In fact, you have also likely been informed that such vulnerabilities affect common systems that are in use in everything from medical workstations to your personal notebook PCs.

We would like to take this opportunity to assure you that the Morita software that you are using in your clinic is not affected by this critical vulnerability and no updates or action is required by you or your staff to deal with this vulnerability with regard to Morita software.

Background

As reported by CVE.org, CVE-2021-44228

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

These libraries are for applications and services utilizing Java as a foundation and for more information on the services and other announcements, please visit the Apache logging services website managed by the Apache Software foundation™.

i-Dixel and Driver Software

Neither i-Dixel nor its associated modules make use of Java and are built on an entirely separate and unaffected software platform. Our logging system is proprietary and makes no use of any of the affected libraries identified.

As the platforms have been different and unrelated to Java and its associated libraries, this vulnerability does not affect these applications no matter what generation is installed in your clinic or hospital. No action is necessary regarding i-Dixel and its associated modules.

i-Dixel WEB

It must be noted that this vulnerability applies solely to Java-based modules that rely on log4j2 to provide logging services. The Apache HTTP Server is not written in Java nor does it use the log4j library, so it is not affected by CVE-2021-44228. Although Morita utilizes some Apache Services, none of them utilize the log4j libraries nor can they. The platform is different.

Furthermore, Morita has written its own proprietary logging system which itself is not built on Java and is also, therefore, unaffected by this vulnerability.

About Morita
We, at Morita, are committed to ensuring the security of your computer systems will always inform and provide countermeasures any time a serious security vulnerability is identified. For this incident, we would like to rest assure you that your Morita software is not affected by it and that you may continue to operate your devices with peace of mind.

If you have installed additional third-party software on your Morita-supplied computers or are operating using a virtual environment, please contact your dealer or customer support to confirm if any of their applications are affected.

If you have any further questions, please contact your local dealer or Morita affiliate for support.
Do you have any questions?

Please feel free to use our e-mail back service.

Find a dealer