Trimble has identified the Log4j vulnerability as a potential exposure for Trimble and is executing its vulnerability management process to assess the risk and prioritize remediation. We have engaged internal engineering resources, third-party cybersecurity vendors, and software providers. We are continuously refreshing our datasets and driving remediation as we identify potential exposures in our infrastructure and product code.
The Connect team has already deployed updates to all of the affected Trimble Connect services. End-user activity does not affect the issue, so there is no need for Trimble Connect customers to stop using the product.
15.12.2021: At this time, Trimble (with the current industry knowledge available) believes that the following products are not affected by this vulnerability. This is either because Log4j is not utilized by the product, or because it’s not using a vulnerable version that can be exploited by the method of CVE-2021-44228.
Client:
- Quadri 2022 / Novapoint 2022
- Quadri 2020 / Novapoint 2020
- Novapoint 21
Server:
- Model Server 3.2
- Model Server 3.1
Cloud:
- Model Server 3.3
- Trimble Connect
- Quadri for Browser
- Topics flow
We will continue to assess this information and products against new information and our internal security tools.