Skip to content

Log4j vulnerability and NAPA products and services

What happened

Similar to the rest of the industry, we at NAPA have become aware of the Remote Code Execution vulnerability CVE-2021-44228 in the popular Java logging library log4j (all versions between 2.0 and 2.15 are vulnerable).

The tool is used by a large part of the internet. When a hacker inputs certain text into these applications, it triggers something in the tool that gives them total control of the device the software is running on. The primary challenge relates to the size and scope of the vulnerability. An enormous number of applications use this underlying software.

We immediately took action to mitigate any potential impacts on NAPA applications and systems. We’d like to provide you with an update. 

Actions we’ve taken 

We have run an audit of NAPA products. The following is the list of already audited products and their status regarding this vulnerability. 

NAPA Safety Solutions 

NAPA Stability  Not affected by the vulnerability 
NAPA Loading Computer  Not affected by the vulnerability 
NAPA Emergency Computer  Not affected by the vulnerability 
NAPA Logbook  Not affected by the vulnerability 

NAPA Shipping Solutions 

NAPA Fleet Intelligence  Not affected by the vulnerability 
NAPA Office  Not affected by the vulnerability 
NAPA Voyage Optimization  Not affected by the vulnerability 


NAPA Design Solutions
 

NAPA  Not affected by the vulnerability 
NAPA Designer  Not affected by the vulnerability 
NAPA DB Server  Not affected by the vulnerability 
NAPA License Manager  Not affected by the vulnerability 
NAPA Drafting  Not affected by the vulnerability 
NAPA Drafting Plugin for AutoCAD  Not affected by the vulnerability 
NAPA Viewer  Not affected by the vulnerability 

NOTE: 
Current NAPA Design Solutions’ products do not use Java and there are no vulnerabilities.
Products released before the year 2014 might contain Java components but not this vulnerability. 

However, it is highly recommended to take into use the latest NAPA release versions.


Internal NAPA systems
 

The mitigation to vulnerability has already been applied to internal NAPA systems. To date, our analysis has not identified compromise of NAPA systems or customer data prior to mitigations were applied. 

Actions moving forward

We are continuing to test our services to see whether they are vulnerable, as a result of using third-party components, and if/where applicable, take the necessary actions.  

The proper mitigations have been either to update log4j to a safe version or to disable it from the affected service. 

We are also monitoring further development of the issue, and keep you posted should there be any new information or actions needed. 

In case you have any further questions or concerns, please contact customer.service@napa.fi  

Best regards, 

The NAPA team 

 

Updated on 20 December 2021