News
General statement and FAQs Apache Log4j vulnerability
General statement
The National Cyber Security Center (NCSC) warned companies in the Netherlands on Friday December 10, that there is a new vulnerability in Apache Log4j. This logging software is used globally by nearly all companies to maintain digital logs. More information about the leak and how to protect against it is available at www.cve.org or www.ncsc.nl.
We use various detection methods that give us insight into the situation 24/7. We continue to monitor the situation closely. If a vulnerability is detected, we are warned immediately and will resolve it as soon as possible.
As a software provider, cybersecurity is our top priority. To deal with these security risks, our cybersecurity experts have installed several additional protection measures in our systems to mitigate potential risks at all times. The cybersecurity and continuity risks are continuously reviewed and updated as needed.
We are informing our partners and customers about the Apache Log4j vulnerability and we are directing them to the information as available at www.cve.org of www.ncsc.nl.
Customers can contact our support department for product-specific questions.
For media inquiries, please contact Annemarije Dérogée, at media@exact.com or +31 (0)15 - 711 51 00.
Frequently asked questions
Below you can find frequently asked questions relating to Exact software and the Apache Log4j vulnerability. Note, as we continue to monitor the situation closely, please make sure you check this page daily (after 12.00 PM CET) for the latest status.
We monitor the situation closely. We use various detection methods that give us insight into the situation 24/7. If a vulnerability is detected, we are warned immediately and will resolve it as soon as possible. In the table below you can find the latest update on your Exact software. Regarding our key software platforms, the following:
- For Exact Online we didn’t find any vulnerabilities in the core product.
- For Exact Globe we didn’t find any vulnerabilities in the core product .
- For Exact Synergy we didn’t find any vulnerabilities in the core product.
- For Exact Financials we didn’t find any vulnerabilities in the core product.
In the table below under 'Specific information Exact's software and services' you can find the latest update on your Exact software and services.
At this moment it’s not needed to perform an update or a patch for most of the Exact products. Only when using Elastic Search with Synergy or Consolidation powered by LucaNet you must make sure that you are using the latest version. If you need any help with updating or upgrading, please reach out to our consultancy or support departments.
As an IT service provider, Exact Cloud Services/Parentix is responsible for keeping your entire environment safe and up to date. We therefore ensure, in addition to the measures already taken, that if we find any vulnerability, we will patch or mitigate it as soon as possible.
As one of the extra measures related to the Apache Log4j vulnerability we have applied geo-blocking for our infrastructure. As a consequence, you may encounter an issue with accessing your Exact/Parentix environment.
If you cannot make contact anymore to the Exact/Parentix environment due to this fact, we advise to make use of VP software.
Alternatively, you can request us to whitelist the IP range of your company. This must be a fixed IP range. Unfortunately, dynamic ranges like mobile networks cannot be whitelisted.
In case of any questions please reach out to our support team.
In the past, for the UK legislation HMRC IRmark functionality, IRMarkDOS files were needed. Since these files are no longer used within the Exact Globe Next software since 2019, they are no longer downloaded when installing or updating Exact Globe Next.
We also investigated the java based 3rd party component used for Spanish legislation (FacturaE). We have updated this component in the Servicepack of April 2022. With this update all Log4J components are removed and replaced.
We advise any customer to update to the latest version of our software. With the Servicepack of April 2022 any Log4J component is removed or replaced. Please see are our release notes.In the table below you can find specific information on Exact’s software and services. We will continue to monitor the situation closely and update the table when applicable.
| Product/ Service | Component | Status | Explanation | Steps to solve or Workaround by customer/partner |
|---|---|---|---|---|
| Exact Online | All core products | Investigated, no vulnerabilities | In the core product of Exact Online we have not detected any vulnerabilities. | No action needed. |
| Exact Online | Elastic Search | Investigated, no vulnerability | The search functionality in Exact Online is hosted by AWS. There is no risk of comprising our Exact Online environment. AWS updated the Elastic Search component and has confirmed that there are no vulnerabilities. | No action needed. |
| Exact Globe | Core product | Investigated, not vulnerable |
The core products did contain an older, not vulnerable, version of Log4J. With the Servicepack of April 2022 this is fixed. All log4j components are removed from Exact Globe. |
Update to the latest Servicepack. |
| Exact Globe | E-report/Crystal Reports | Investigated, not vulnerable | The default installation of Globe contains just the Crystal Report viewer. This does not contain any vulnerable components. The full version of Crystal Reports (packaged as E-Report) does contain Log4j, but this is an older version that is not vulnerable | No action needed. |
| Consolidation powered by LucaNet | Core product | Investigated, vulnerable, action needed | Consolidation powered by LucaNet uses the Log4j component and has confirmed to be vulnerable. Customers need to update to the latest version. | Action needed: solve the vulnerability by following the steps described in this document. For more information from Lucanet, please check: lucanet.com/en/blog/update-vulnerability-log4j |
| Exact Synergy | Core product | Investigated, not vulnerable | No action needed. | |
| Exact Synergy | Elastic Search | Investigated, vulnerable, action needed - workaround available | Customers who use the Search All feature, and customers who use Elastic Search as search provider for searching the feeds, have installed a version of ElasticSearch, which is vulnerable to information disclosure. It is a function that needs to be installed manually and is only in use by a limited number of customers. | Action needed: solve the vulnerability by following the steps described in the documents linked: EN NL |
| ELIS | Investigated, not vulnerable | No action needed. | ||
| Payroll Plus (Loket) | Investigated, not vulnerable | No action needed. | ||
| Exact AEC | Investigated, not vulnerable | No action needed. | ||
| Dimoni | e-invoicing | Investigated, not vulnerable | In update 360 SP3 the e-invoicing module of Dimoni does not use log4j anymore. In older versions Dimoni uses an old version of Log4J that is not vulnerable. | No action needed. |
| Exact Financials | Investigated, not vulnerable | No action needed. | ||
| ProAcc | Investigated, not vulnerable | No action needed. | ||
| ProQuro | Investigated, not vulnerable | No action needed. | ||
| WMS | Investigated, not vulnerable | No action needed. | ||
| Business Suite | Investigated, not vulnerable | No action needed. | ||
| Digipoort | Investigated, not vulnerable | No action needed. | ||
| DigitaleFactuur | Investigated, not vulnerable | No action needed. | ||
| Reeleezee | Investigated, not vulnerable | No action needed. | ||
| Bouw7 | Investigated, not vulnerable | No action needed. | ||
| Officient | Investigated, not vulnerable | Disabled vulnerable component on Friday 10th of December | No action needed. | |
| Go2UBL | Investigated, not vulnerable | No action needed. | ||
| Gripp | Investigated, not vulnerable | No action needed. | ||
| SRXP | Investigated, not vulnerable | No action needed. | ||
| Winbooks | Investigated, not vulnerable | No action needed. | ||
| BoekhoudGemak | Investigated, not vulnerable | No action needed. | ||
| Audition | Investigated, not vulnerable | No action needed. | ||
| FDS | Investigated, not vulnerable | No action needed. | ||
| Online Samenwerken (OSW) | Investigated, not vulnerable | No action needed. | ||
| FiscaalGemak | Investigated, not vulnerable | No action needed. | ||
| RapportageGemak | Investigated, not vulnerable | No action needed. | ||
| WerkprogrammaGemak | Investigated, not vulnerable | No action needed. | ||
| CommunicatieGemak | Investigated, not vulnerable | No action needed. | ||
| HR & SalarisGemak | Investigated, not vulnerable | No action needed. | ||
| EDI Gateway | Investigated, not vulnerable | No action needed. | ||
| Exact insights (Qlik) | Investigated, not vulnerable | No action needed. | ||
| ScanSys | Investigated, not vulnerable | No action needed. |
