Compart - Document- and Output-Management

Security Advisory
and Important Customer Information

On this page we inform you about:

  • Current security vulnerabilities
  • Affected DocBridge® products
  • Steps for resolving

 

Relevant cases listed chronologically:

Security Alert

CVE-2023-46604 Affecting Apache ActiveMQ

November 2023 | CVE-2023-46604

Security Vulnerability in Apache ActiveMQ

  • Issue: A critical security vulnerability in Apache ActiveMQ, identified as CVE-2023-46604, has been recently discovered.
  • Compart's Response: We initiated an immediate investigation into the impact on our products and began developing countermeasures upon discovery.
Expand all details - click here

Security Vulnerability in Apache ActiveMQ: Overview

  • Issue: A critical security vulnerability in Apache ActiveMQ, identified as CVE-2023-46604, has been recently discovered.
  • Compart's Response: We initiated an immediate investigation into the impact on our products and began developing countermeasures upon discovery.

 

Which Compart Products Are Affected?

List of impacted products:

  • DocBridge® Pilot (up to version 3.9.12)
  • DocBridge® Mill Plus (up to version 2.16.0)
  • DocBridge® Auditrack (up to version 1.6.0)

 

What actions is Compart taking to mitigate the risk?

Remediation Steps

  • Hotfix: Contact our support via the myCompart customer portal
  • Patch Releases: Compart is providing patch releases for the affected products. These are available for download on the Compart customer portal myCompart.
  • Link: https://my.compart.com

 

Note on Other Compart Products

Not affected: Other Compart products, besides those mentioned above, are not affected by this vulnerability.

Recommended Immediate Actions

In general, we recommend the follow actions:

  • Network Security: Prevent public internet access to the affected DocBridge products.
  • Access Restrictions: Limit access to the network ports used by the DocBridge products and allow only verified sources.
  • IP Address Verification: Ensure that only verified IP addresses have access to the DocBridge products.
  • Restrict External Connections: Limit external server connections to essential IP addresses and domains.
  • Load Balancer Settings: Extend network restrictions to load balancer settings, if in use.

 

Additional Security Measures by Compart

  • Internal IT Systems: We have checked all internal systems for vulnerabilities and implemented recommended measures and available patches.
  • Ongoing Monitoring: We continue to closely monitor the situation and will promptly inform our customers of any new developments.

Security Alert

CVE-2022-22965 ("Spring4Shell")

March 2022 | CVE-2022-22965

Security vulnerability in the Spring Framework

  • Issue: A vulnerability in the widely used framework for java-based enterprise application development (Spring Framework) was recently discovered and published as CVE-2022-22965.
  • Compart's Response: Immediately after this security vulnerability became known on March 31, 2022, Compart began investigating possible effects on its products and taking counter measures.
Expand all details - click here

Dear Compart customers,

As you may have heard from the press, a vulnerability in a widely used framework for java-based enterprise application development (Spring Framework) was recently discovered and published as CVE-2022-22965. Immediately after this security vulnerability became known on March 31, 2022, Compart began investigating possible effects on its products and taking counter measures.

The vulnerability is fixed in the following versions of the Spring framework:

  • 5.3.18+
  • 5.2.20+

Spring Boot versions 2.5.12 and 2.6.6 which depend on the above have also been published. CVE-2022-22965 only affects Spring versions using Java >= 9 (Java 8 is not affected).

According to https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-I-impacted :

  • The vulnerability involves ClassLoader access, and therefore in addition to the specific attack reported with a Tomcat specific ClassLoader, other attacks may be possible against a different custom ClassLoader
  • The issue relates to data binding used to populate an object from request parameters (either query parameters or form data). Data binding is used for controller method parameters that are annotated with @ModelAttribute or optionally without it, and without any other Spring Web annotation
  • The issues does not relate to @RequestBody controller method parameters (e.g. JSON deserialization). However, such methods may still be vulnerable if they have another method parameter populated via data binding from query parameters

 

Which Compart products are affected?

The following Compart products utilize versions of the Spring frameworks susceptible to the CVE-2022-22965 vulnerability, however, they do not use the annotation for data binding controller method parameters that result in the vulnerability:

  • DocBridge® Pilot
  • DocBridge® Authentication and Authorization
  • DocBridge® POM (Postal Optimization Module)
  • DocBridge® Delta
  • DocBridge® Document Desktop

 

What actions is Compart taking to mitigate the risk?

Hotfixes

Despite the fact that the DocBridge products indicated in the section "Which Compart products are affected" do not use the compromised annotation for data binding controller method parameters, Compart has nevertheless prepared hotfixes for these affected products, upgrading the Spring framework to versions in which the vulnerability has been mitigated (5.3.18+, and 5.2.20+ as indicated above).

  • Hotfixes are available from the Compart Support organization. Patches will eventually be available for download on my.compart.com.
  • Please note: Fixes and patches will only be provided for supported versions of DocBridge products (e.g. Pilot 4.1.0, 4.0.4 and 3.9.10).

What about other products such as DocBridge® Mill or DocBridge® Impress?

  • Compart products not mentioned on this page are not using Java and hence are not affected by CVE-2022-22965.

 

What else is Compart doing to minimize the risk posed by Spring4Shell?

Immediately after the security gap became known, all internal IT systems were checked for vulnerability in addition to our own software, the recommended counter measures were initiated and available patches were installed. We will continue to monitor the situation closely and inform our customers promptly if new information becomes available.

Security Alert

Log4j2/Log4Shell Vulnerability

December 2021 | CVE-2021-44228

Security vulnerability in the open source Java library (Log4j2)

  • Issue: A critical vulnerability was identified in a widely used open source Java library (Log4j2) and published as CVE-2021-44228
  • Compart's response: Immediately after this security vulnerability became known on December 10, 2021, Compart began investigating possible effects on its products and taking counter measures.
Expand details - click here

Dear Compart customers,

As you may have heard from the press, a vulnerability in a widely used open source Java library (Log4j2) was recently discovered and published as CVE-2021-44228. Immediately after this security vulnerability became known on December 10, 2021, Compart began investigating possible effects on its products and taking counter measures.

Which Compart products are affected?

One Compart product uses the library affected by the security vulnerability (Log4j2 <= 2.14.1). The affected product is:

  • DocBridge® Impress Designer up to and including version 2.0.1

 

What actions is Compart taking to mitigate the risk?

DocBridge® Impress Designer up to version 2.0.1

  • Compart recommends to upgrade to the latest version of DocBridge® Impress Designer as soon as possible. Versions later than 2.0.1 are supplied as a plug-in for DocBridge® Central and are not affected by the security gap in Log4j2.
  • Impress Designer Plugin Version 4.0.1 is currently available. The installation takes place as an NPM package, which is available to Compart customers via our NPM registry (https://reg-npm.compart.com/).
  • In the short term and until the upgrade is installed, Compart recommends that customers implement the countermeasures mentioned here https://logging.apache.org/log4j/2.x/security.html. With regard to the selection of the appropriate short-term countermeasure, please note that version 2.0.1 of DocBridge® Impress Designer uses Log4j v2.13.3. Even older versions use Log4j v.2.8.2.

What about other products such as DocBridge® Pilot or DocBridge® Mill?

  • Products other than DocBridge® Impress Designer (up to version 2.0.1) are not affected by CVE-2021-44228.

 

What else is Compart doing to minimize the risk posed by Log4j2?

Immediately after the security gap became known, all internal IT systems were checked for vulnerability in addition to our own software, the recommended counter measures were initiated and available patches were installed. We will continue to monitor the situation closely and inform our customers promptly if new information becomes available.

Our concern

  • We always try to act promptly and to clarify future issues with the highest priority.
  • If you have any questions, please get in touch with us: Via your personal contact at Compart or using the form below.

We Are Here to
Answer Your Questions