The below information is from Lexmark in regards to the Apache Log4j exploit:
Issue Description:
The Apache Log4j utility is an open-source Apache framework that is a commonly used component for logging requests. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j version 2.15 or below to be compromised and allow an attacker to execute arbitrary code on the vulnerable server.
On December 10th, 2021, NIST (National Institute of Standards and Technology) published a critical CVE (Common Vulnerabilities and Exposures) in the National Vulnerability Database identifying this as CVE-2021-44228. The official CVSS (Common Vulnerability Scoring System) base severity score has been determined as a severity of 10. The latest guidance from the Apache Software Foundation is to upgrade to 2.17. The latest CVE and guidance from the Apache Software Foundation is available here: https://nvd.nist.gov/vuln/detail/CVE-2021-45105 and https://logging.apache.org/log4j/2.x/security.html
Explanation:
Lexmark development teams have assessed Lexmark solutions and are now actively implementing remediation plans for the Log4j vulnerability on any Lexmark solutions impacted. We share your sense of urgency and are working diligently to incorporate the necessary solutions to address the issue.
The document below lists Lexmark products that may be impacted by the Log4j vulnerability (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105). Any product that is not listed in this table is still under review for impact. This table will be revised as new information is available.
Last Update: 12/23/2021
| Product | Impacted (Yes/No) | Remedy | Status | Upgrade Path |
| Hardcopy Printers and MFPs | No | N/A | No further action needed | N/A |
| Publishing Platform for Retail | No | N/A | No further action needed | N/A |
| LCS Fleet Agent v1.2.46 | Yes | Yes |
LCS Notifications LCS New and Changed Functionality |
See instructions in the status section |
| LCS Printer Enrollment Tool 2.7.0-2 | Yes | Yes |
LCS Notifications LCS New and Changed Functionality |
See instructions in the status section |
| MVE (Markvision Enterprise) | Yes | MVE 4.1.1 or above | Lexmark Markvision Enterprise (homepage) | Customer Installer |
| LFT/LRAM | Yes | Yes | Update Available | Customer Installer |
| LDCM (Lexmark Data Collection Manager) | Yes | Yes | Workaround Available | Tech Ops Engagement |
| LRMe (Lexmark Remote Management Extension) | Yes | Yes | Update Available | Tech Ops Engagement |
| LDD (Lexmark Document Distributor) | Yes | Yes | Workaround Available | NA - SD&I – Contact TPM Other Geos – Contact Lexmark Technical Support |
| LPM (Lexmark Print Management) | Yes | Yes | Workaround Available | NA - SD&I – Contact TPM Other Geos – Contact Lexmark Technical Support |
| DDU (Device Deployment Utility) | Yes | DDU 2.12 or above | Lexmark Device Deployment Utility (support site) | Customer Installer |
| VSC (Virtual Solution Center) | Yes | EOL - January 28, 2022 | Customers will be required to use CFM or Package Builder | Use CFM or Package Builder |