News

General statement and FAQs Apache Log4j vulnerability

General statement Apache leak

General statement
The National Cyber Security Center (NCSC) warned companies in the Netherlands on Friday December 10, that there is a new vulnerability in Apache Log4j. This logging software is used globally by nearly all companies to maintain digital logs. More information about the leak and how to protect against it is available at www.cve.org or www.ncsc.nl.

We use various detection methods that give us insight into the situation 24/7. We continue to monitor the situation closely. If a vulnerability is detected, we are warned immediately and will resolve it as soon as possible.

As a software provider, cybersecurity is our top priority. To deal with these security risks, our cybersecurity experts have installed several additional protection measures in our systems to mitigate potential risks at all times. The cybersecurity and continuity risks are continuously reviewed and updated as needed.

We are informing our partners and customers about the Apache Log4j vulnerability and we are directing them to the information as available at www.cve.org of www.ncsc.nl.

Customers can contact our support department for product-specific questions.

For media inquiries, please contact Annemarije Dérogée, at media@exact.com or +31 (0)15 - 711 51 00.

Frequently asked questions

Below you can find frequently asked questions relating to Exact software and the Apache Log4j vulnerability. Note, as we continue to monitor the situation closely, please make sure you check this page daily (after 12.00 PM CET) for the latest status.

We monitor the situation closely. We use various detection methods that give us insight into the situation 24/7. If a vulnerability is detected, we are warned immediately and will resolve it as soon as possible. In the table below you can find the latest update on your Exact software. Regarding our key software platforms, the following:

  • For Exact Online we didn’t find any vulnerabilities in the core product. 
  • For Exact Globe we didn’t find any vulnerabilities in the core product .
  • For Exact Synergy we didn’t find any vulnerabilities in the core product.
  • For Exact Financials we didn’t find any vulnerabilities in the core product.

In the table below under 'Specific information Exact's software and services' you can find the latest update on your Exact software and services.

At this moment it’s not needed to perform an update or a patch for most of the Exact products. Only when using Elastic Search with Synergy or Consolidation powered by LucaNet you must make sure that you are using the latest version. If you need any help with updating or upgrading, please reach out to our consultancy or support departments.

As an IT service provider, Exact Cloud Services/Parentix is responsible for keeping your entire environment safe and up to date. We therefore ensure, in addition to the measures already taken, that if we find any vulnerability, we will patch or mitigate it as soon as possible.

As one of the extra measures related to the Apache Log4j vulnerability we have applied geo-blocking for our infrastructure. As a consequence, you may encounter an issue with accessing your Exact/Parentix environment. 

If you cannot make contact anymore to the Exact/Parentix environment due to this fact, we advise to make use of VP software. 

Alternatively, you can request us to whitelist the IP range of your company. This must be a fixed IP range. Unfortunately, dynamic ranges like mobile networks cannot be whitelisted. 

In case of any questions please reach out to our support team.

In the table below you can find specific information on Exact’s software and services. We will continue to monitor the situation closely and update the table when applicable.

Product/ Service Component Status Explanation Steps to solve or Workaround by customer/partner
Exact Online All core products Investigated, no vulnerabilities In the core product of Exact Online we have not detected any vulnerabilities. No action needed.
Exact Online Elastic Search Investigated, no vulnerability The search functionality in Exact Online is hosted by AWS. There is no risk of comprising our Exact Online environment. AWS updated the Elastic Search component and has confirmed that there are no vulnerabilities. No action needed.
Exact Globe Core product Investigated, not vulnerable The core product of Exact Globe contains an older version of Log4j which is not vulnerable. No action needed.
Exact Globe E-report/Crystal Reports Investigated, not vulnerable The default installation of Globe contains just the Crystal Report viewer. This does not contain any vulnerable components. The full version of Crystal Reports (packaged as E-Report) does contain Log4j, but this is an older version that is not vulnerable No action needed.
Consolidation powered by LucaNet Core product  Investigated, vulnerable, action needed Consolidation powered by LucaNet uses the Log4j component and has confirmed to be vulnerable. Customers need to update to the latest version. Action needed: solve the vulnerability by following the steps described in this document.
For more information from Lucanet, please check: lucanet.com/en/blog/update-vulnerability-log4j
Exact Synergy Core product Investigated, not vulnerable   No action needed.
Exact Synergy Elastic Search Investigated, vulnerable, action needed - workaround available Customers who use the Search All feature, and customers who use Elastic Search as search provider for searching the feeds, have installed a version of ElasticSearch, which is vulnerable to information disclosure. It is a function that needs to be installed manually and is only in use by a limited number of customers. Action needed: solve the vulnerability by following the steps described in the documents linked: EN NL
ELIS   Investigated, not vulnerable   No action needed.
Payroll Plus (Loket)   Investigated, not vulnerable   No action needed.
Exact AEC   Investigated, not vulnerable   No action needed.
Dimoni e-invoicing Investigated, not vulnerable The e-invoicing module of Dimoni uses an old version of Log4j that is not vulnerable. No action needed.
Exact Financials   Investigated, not vulnerable   No action needed.
ProAcc   Investigated, not vulnerable   No action needed.
ProQuro   Investigated, not vulnerable   No action needed.
WMS   Investigated, not vulnerable   No action needed.
Business Suite   Investigated, not vulnerable   No action needed.
Digipoort   Investigated, not vulnerable   No action needed.
DigitaleFactuur   Investigated, not vulnerable   No action needed.
Reeleezee   Investigated, not vulnerable   No action needed.
Bouw7   Investigated, not vulnerable   No action needed.
Officient   Investigated, not vulnerable Disabled vulnerable component on Friday 10th of December No action needed.
Go2UBL   Investigated, not vulnerable   No action needed.
Gripp   Investigated, not vulnerable   No action needed.
SRXP   Investigated, not vulnerable   No action needed.
Winbooks   Investigated, not vulnerable   No action needed.
BoekhoudGemak   Investigated, not vulnerable   No action needed.
Audition   Investigated, not vulnerable   No action needed.
FDS   Investigated, not vulnerable   No action needed.
Online Samenwerken (OSW)   Investigated, not vulnerable   No action needed.
FiscaalGemak   Investigated, not vulnerable   No action needed.
RapportageGemak   Investigated, not vulnerable   No action needed.
WerkprogrammaGemak   Investigated, not vulnerable   No action needed.
CommunicatieGemak   Investigated, not vulnerable   No action needed.
HR & SalarisGemak   Investigated, not vulnerable   No action needed.
EDI Gateway   Investigated, not vulnerable   No action needed.
Exact insights (Qlik)   Investigated, not vulnerable   No action needed.
ScanSys   Investigated, not vulnerable   No action needed.
EN Select your country