Vulnerability details:
On December 9, 2021, a vulnerability was detected in Log4j, an open-source Java logging library maintained by the Apache Software Foundation. Log4j is used by a very large percentage of the Java programs developed in the last years for both client and server applications. This vulnerability has been assigned CVE-2021-44228 and received the name "Log4Shell".
CVE-2021-44228 enables attackers to perform unauthenticated remote code execution. Due to its high severity that affects the core of Log4j, its wide usage across business applications, and the public availability of an exploit, Barco’s security team started an assessment on the Barco product range.
Impact on Barco products:
Barco is currently analyzing the impact on Barco products. As the investigation continues, assessment results will be updated. In the table below, not applicable means that Log4j is not used.
| Product | Status |
| QAweb Enterprise | Not applicable |
| MediCal QAWeb | Not affected* |
| MXRT Display Driver & Intuitive Workflow Tools | Not applicable |
| NexxisCare | Not applicable |
| NexxisLive | Not applicable |
| Nexxis WorkSpot | Not applicable |
| NexxisOR | Not affected* |
| Demetra | Not affected |
| ClickShare (Base Units, Buttons, and Apps) | Not applicable |
| XMS Cloud | Not applicable |
| XMS Edge | Not applicable |
| CMGS | Not applicable |
| TransForm N (TFN) | Not affected* |
| OpSpace | Affected Limited to Audit Logging feature. Hotfix available. For more details, see KB 5655 |
| UniSee Present | Not applicable |
| SecureStream | Not applicable |
| Video Wall Management suite (cloud)? | Not applicable |
| Video Wall Manager (onprem) | Not applicable |
| Green Barco Wall Control Manager (gBCM) | Not affected* |
| WeConnect | Not applicable |
| WePresent | Not applicable |
| Overture | Not applicable |
| Projector Management Suite | Not applicable |
| Projector Toolset | Not applicable |
| Webanalyser | Not applicable |
| Projector embedded software | Not applicable |
| Infinipix | Not applicable |
| ECU-200 with DCS (Display Control suite) | Not applicable |
Barco products are designed with security, privacy, and confidentiality in mind. And with every software release, new features and fixes are added to the product range. Additionally, Barco has an information security management system (ISMS) which complies with the ISO 27001 standard, covering policies, management involvement, business processes, technology, compliance with local laws, security awareness, and security best practices. The products and locations in scope are specifically mentioned on our certificate, which can be found on Certificates - Barco.
| * |
This recent vulnerability disclosure caused widespread and renewed security attention for this framework, which itself led to the discovery of new vulnerabilities, both in Log4j version 1 and version 2. Although a large percentage of our product portfolio is not using Log4j, Barco is currently performing a broader investigation beyond the scope of the “Log4Shell” vulnerability to determine the impact on our products. An overview of the current assessment results can be found in KB 1907. |
