Security and maintenance

Worldwide support Fast. Reliable. Diligent

This section provides an overview of all critical uniFLOW security advisories. For further information regarding these advisories please contact your local Canon office, authorized reseller or NT-ware support representative. Access to the NT-ware Knowledgebase is granted to all local Canon offices and authorized resellers to receive more detailed information and patches.

April 4th 2022 | Security Advisory
NT-ware is aware of a new remote code execution vulnerability affecting the Java Spring framework. Named Spring4Shell and tracked under CVE-2022-22965, this vulnerability is in the Java ‘Spring’ library. We actioned our security and development team to investigate, mitigate and communicate our activities. The result of these activities have concluded and are listed below. As it is early in the release of this vulnerability, the information below is subject to change if new exploits are identified.

Below you can find a breakdown of the activity for NT-ware as a company and our individual products:

NT-ware - company

All public-facing sites and services have been reviewed and scanned by vulnerability assessment tools and human inspection.
Some internal services have been identified as utilizing Spring4Shell. We have taken immediate steps to patch or place mitigation controls in place.

uniFLOW

None of the uniFLOW components are affected:

uniFLOW Server, Remote Print Servers, SmartClients, Internet Gateway, Web Submission, and supporting services.
uniFLOW Embedded Applets for:
- Canon MEAP devices
- varioPrint 140 devices
- ColorWave/PlotWave printers
- ScanFront devices
- Xerox/HP/Samsung/Konica Minolta/Brother/Sharp/OKI/EPSON/Lexmark devices
Devices connected with uniFLOW Release Stations

uniFLOW Online/uniFLOW Online Express

None of the uniFLOW Online/uniFLOW Online Express components are affected:

The platform itself, SmartClients, and supporting services
uniFLOW Embedded Applets for Canon MEAP devices
Devices connected with uniFLOW Release Stations

uniFLOW sysHUB

None of the uniFLOW sysHUB (Cosmos) components are affected:

While the Spring library is present in the uniFLOW sysHUB (Cosmos) product, we can confirm it is NOT affected by this vulnerability.
- COSMOS Versions < 2.9 use Java8, a prerequisite is >= Java9
- Since COSMOS V2.9 and sysHUB 2021, Java11 has been used, but the following bullet points exclude the vulnerability
  - All versions of COSMOS and sysHUB use Jetty instead of Tomcat for the servlet engine
  - All standard web applications are NOT deployed as WAR files
  - Spring-webflux is NOT used in any of the standard web applications
Out of an abundance of caution, we will be taking further actions moving forward. Please note there is NO need to perform any patching of existing systems/installations to mitigate the known listed exploits.
- We will update Spring library to the latest version with sysHUB 2022.1
- The capability for build pipeline to deploy WAR files will be disabled with sysHUB 2022.1 as well

PRISMAsatellite

None of the PRISMAsatellite components are affected.

December 13th 2021 | Security Advisory
A critical vulnerability, CVE-2021-44228, has been identified in the popular Java logging library, Apache Log4j 2, or also referred to as Log4Shell. This has had a devastating impact globally on millions of systems and applications which impacts almost every company in some way.
NT-ware actioned last week our security response plans to investigate, mitigate and communicate our activities. The result of these activities have concluded with that we have no exposed system or products that are susceptible to this vulnerability.

Below you can find a breakdown of the activity for NT-ware as a company and our individual products:

NT-ware - company

All public facing sites and services have been reviewed and scanned by vulnerability assessment tools and human inspection.
Some internal services have been identified as utilising Log4j. We have taken immediate steps to patch or place mitigation controls in place.

uniFLOW

None of the following is affected: uniFLOW Server, Remote Print Servers, SmartClients, Internet Gateway, Web Submission, and supporting services.
Embedded applets for devices:
- uniFLOW MEAP embedded applet for Canon devices – Unaffected
- uniFLOW embedded applet for VarioPrint devices – Unaffected
- uniFLOW embedded applet for ColorWave/PlotWave devices – Unaffected
- uniFLOW embedded applet for ScanFront devices – Unaffected
- uniFLOW embedded applet for Xerox/HP/Samsung/Konica Minolta/Brother/Sharp/OKI/EPSON/Lexmark devices – Unaffected
- Devices connected with Release Stations – Unaffected

uniFLOW Online/uniFLOW Online Express

None of the following is affected: the platform itself, SmartClients, and supporting services.
Embedded applets for devices:
- uniFLOW MEAP embedded applet for Canon devices – Unaffected
- Devices connected with Release Stations – Unaffected

uniFLOW sysHUB

Up to and including COSMOS V2.7, log4j Version 1.2.x was used. There is a security flaw found with the JMSAppender. The JMSAppender is not used in COSMOS standard configuration.
Since COSMOS V2.8 and sysHUB 2021, log4j Version 2 (version 2.11.0 to Version 2.14.1) is used.
CVE-2021-44228 JNDI lookups : lookups via JNDI in COSMOS/sysHUB are blocked by a custom development and end in a system exception message.
CVE-2021-45046 DOS attack via patterns: none of the patterns $${ctx:loginId}, %X, %mdc, or %MDC is used in the standard configuration. Please review your log4j configuration in the file config/log4j2.xml to ensure you are not using any of the mentioned patterns (which is the case in all standard configurations).
CVE-2021-45105 Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
Even with the product not exposed by this vulnerability it is recommended to disable log4j2 lookups as listed below:

Edit the <install-folder>\CosmosServer.conf file and for all used Agents the <agent-install-folder>\CosmosAgent.conf
Add the line wrapper.java.additional.24=-Dlog4j2.formatMsgNoLookups=true, change the numbering depending on your used wrapper options, in our case we have the entry .24 added
Restart the server and all Agents

Alternatively, COSMOS and sysHUB installations work with log4j 2.16.0 and with log4j 2.17.0 as well. This version can be downloaded directly from the Apache website and replace the existing version in the ext folder:

Stop running servers and agents to be updated
Server: replace all ext/log4j*.jar files with the latest version
Agent: replace the ext/log4j-core.jar with the latest version but keep the naming without version, file must have the fixed name log4j-core.jar
Start running servers and agents
The file ant-apache-log4j.jar in the client plugins folder is not a separate log4j library but a connector class from apache ant and must not be changed
Log4j properties file win the cosmos-web folder is just a config file to enable loggers and must not be changed

COSMOS and sysHUB native Client: A workaround is provided to Canon Software Support, an updated version is available as a patch and a new setup is provided
COSMOS and sysHUB Agent: replace the file log4j2-core.jar in the ext folder with the latest version
Service Release: Service Releases are available for the supported Versions COSMOS 2.9 and uniFLOW sysHUB 2021 and include the log4j libraries Version 2.17.0. The Service Releases and Installers for new customer installations are available on the customer portal in the Download section.

PRISMAsatellite

PRISMAsatellite does NOT use LOG4J (for Java), but DOES use log4JS (for JavaScript) as a component in the Dashboard. We can confirm that Log4JS (for JavaScript) is used in all versions of PRISMAsatellite, is NOT vulnerable to the LOG4J (for Java) exploit.

December 8th 2020 | Security Advisory
It has been brought to our attention by the 'Federal Office for Information Security' (BSI) that the network implementation within the microMIND is vulnerable to a number of exploits. These vulnerabilities were discovered by 'Forescout Technologies', researchers Jos Wetzels, Stanislav Dashevskyi, Amine Amri, and Daniel dos Santos.

The microMIND utilises the uIP open-source network stack, https://en.wikipedia.org/wiki/UIP_(micro_IP) used by thousands of companies to network enable their software/hardware. The researchers found that if exploited these vulnerabilities could result in a DoS attack taking the device offline or performing Remote Code Execution (RCE) on the microMIND itself. To address these vulnerabilities NT-ware has released a new firmware that addresses all reported issues. At the time of writing this security bulletin there are no known exploits targeting the microMIND.

Exploit name/link: AMNESIA:33, https://www.forescout.com/amnesia33/
CVE's addressed in this firmware are: CVE-2020-13988, CVE-2020-13987, CVE-2020-17438, CVE-2020-17437
CVE's not related to the MicroMIND implementation of the uIP Stack: CVE-2020-17440, CVE-2020-17439, CVE-2020-24334, CVE-2020-24335
Affected uniFLOW microMIND Firmware: version 2.0.9 and earlier or delivered prior to October 2020.
Mitigation/Action: If you have an affected microMIND please contact your Canon representative to arrange upgrading the firmware.

December 18th 2018 | Security Advisory
The following security advisory has been updated for uniFLOW:

uniFLOW Authentication issue
There is a possibility of gaining unauthorized access where "Username/Password" is used as authentication or the card learning mechanism is utilized. This only affects particular versions of the software, when used with these authentication methods: uniFLOW V5.1 SRx, uniFLOW V5.2 SRx, uniFLOW V5.3 SRx, uniFLOW V5.4 SRx, uniFLOW 2018 LTS SRx, uniFLOW 2018 v-Releases.
An additional issue has been found (affecting the versions from V5.3 SRx onwards) whereby it is possible to access the device Remote User Interface (RUI) when using the Universal Login Manager (ULM).
As both issues have been found in a short time frame we have opted to create a combined installer which applies a hotfix for both issues:
Please find instructions to install the hotfix here.
(as uniFLOW V5.1 SRx & V5.2 SRx are not supported anymore, the hotfix for these versions is available on request from your local Canon office)
If you already have applied the original hotfix, you should still apply the new hotfix to fix the remaining issue. We are committed to providing secure solutions to our customers and apologize for any inconvenience this situation has caused. Should you require further information regarding this advisory, please contact your local Canon office, authorized reseller or Canon support representative. If you notice any suspicious activity, please report these immediately to your account manager and IT department.

May 22nd 2017 | Security Advisory
The following security advisory has been released for all versions of uniFLOW:

Sniffing network packages to webcall.asp possible
- Hotfix available
- Service Release Fix: uniFLOW V5.4 SR9
- Further information on ITS: MOMKB-907

December 09th 2014 | Security Advisory
The following security advisory has been released for all versions of uniFLOW:

"POODLE" exploit (SSL 3.0 vulnerability)
- Hotfix not planned
- Service Release Fix: see MOMKB-759
- Further information on ITS: MOMKB-759

April 11th 2014 | Security Advisory
The following security advisory has been released for uniFLOW V5.1 and V5.2:

Heartbleed Bug (OpenSSL vulnerability)
- Hotfix available for uniFLOW V5.2 SR2
- Service Release Fix will be available for uniFLOW V5.1 SR9 and V5.2 SR3
- Further information on ITS: MOMKB-759

December 4th 2013 | Security Advisory
The following security advisories have been released by NT-ware for uniFLOW V5.2 SR1 and older:

Stored and reflected Cross Site Scripting (XSS)
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-733

Arbitrary command execution
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-734

Inadequate Access Control
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-735

Potential credential stealing on IG
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-736

Use of dangerous functions in the IG code
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-737

Arbitrary file write on IG
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-738

SQL Injection
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-739

Information disclosure through the header response of the IG server
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-740

Weak CAPTCHA security
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-741

Passwords stored in plain text in the IG database
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-742

Arbitrary file delete on uniFLOW server
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-74

Cross site request forgery (uniFLOW server)
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-744

May 8th 2013 | Security Advisory
The following four security advisories has been released for uniFLOW V5.1.0 – V5.1.6 and uniFLOW V5.2

Authentication with user name and PIN-code on PWCLIENT and PWRQM
- Hotfix availability: in planning
- Service Release Fix: uniFLOW V5.1.7, V5.2 SR1
- Further information on ITS: MOMKB-705

December 8th 2011 | Security Advisory
The following four security advisories have been released for uniFLOW V5.0.5 and uniFLOW V5.1.1

Password in HTML Source
- Hotfix availability: 08/12/2011
- Service Release Fix: uniFLOW V5.0.6, V5.1.2, V5.2
- Further information on ITS: MOMKB-581

SQL Injection
- Hotfix availability: 08/12/2011
- Service Release Fix: uniFLOW V5.0.6, V5.1.2, V5.2
- Further information on ITS: MOMKB-583

Persistent/Stored XSS
- Hotfix availability: 08/12/2011
- Service Release Fix: uniFLOW V5.0.6, V5.1.2, V5.2
- Further information on ITS: MOMKB-584

Unencrypted communication between MEAP Module and RPS
- Hotfix availability: 08/12/2011
- Service Release Fix: uniFLOW V5.0.6, V5.1.2, V5.2
- Further information on ITS: MOMKB-585