Log4j vulnerability and NAPA products and services
What happened
Similar to the rest of the industry, we at NAPA have become aware of the Remote Code Execution vulnerability CVE-2021-44228 in the popular Java logging library log4j (all versions between 2.0 and 2.15 are vulnerable).
The tool is used by a large part of the internet. When a hacker inputs certain text into these applications, it triggers something in the tool that gives them total control of the device the software is running on. The primary challenge relates to the size and scope of the vulnerability. An enormous number of applications use this underlying software.
We immediately took action to mitigate any potential impacts on NAPA applications and systems. We’d like to provide you with an update.
Actions we’ve taken
We have run an audit of NAPA products. The following is the list of already audited products and their status regarding this vulnerability.
NAPA Safety Solutions
| NAPA Stability | Not affected by the vulnerability |
| NAPA Loading Computer | Not affected by the vulnerability |
| NAPA Emergency Computer | Not affected by the vulnerability |
| NAPA Logbook | Not affected by the vulnerability |
NAPA Shipping Solutions
| NAPA Fleet Intelligence | Not affected by the vulnerability |
| NAPA Office | Not affected by the vulnerability |
| NAPA Voyage Optimization | Not affected by the vulnerability |
NAPA Design Solutions
| NAPA | Not affected by the vulnerability |
| NAPA Designer | Not affected by the vulnerability |
| NAPA DB Server | Not affected by the vulnerability |
| NAPA License Manager | Not affected by the vulnerability |
| NAPA Drafting | Not affected by the vulnerability |
| NAPA Drafting Plugin for AutoCAD | Not affected by the vulnerability |
| NAPA Viewer | Not affected by the vulnerability |
NOTE:
Current NAPA Design Solutions’ products do not use Java and there are no vulnerabilities.
Products released before the year 2014 might contain Java components but not this vulnerability.
However, it is highly recommended to take into use the latest NAPA release versions.
Internal NAPA systems
The mitigation to vulnerability has already been applied to internal NAPA systems. To date, our analysis has not identified compromise of NAPA systems or customer data prior to mitigations were applied.
Actions moving forward
We are continuing to test our services to see whether they are vulnerable, as a result of using third-party components, and if/where applicable, take the necessary actions.
The proper mitigations have been either to update log4j to a safe version or to disable it from the affected service.
We are also monitoring further development of the issue, and keep you posted should there be any new information or actions needed.
In case you have any further questions or concerns, please contact customer.service@napa.fi
Best regards,
The NAPA team
Updated on 20 December 2021
