Does The Digital Signage CMS Software Sector Have A Security Issue?

December 17, 2021 by Dave Haynes

Coders at a whole bunch of digital signage management software companies, as well as all the solutions providers and integrators out there who use CMS software, may be paying close attention to the status and fixes for a security vulnerability found last week in widely-used logging software that’s based on Java.

The vulnerability in what’s known as Log4j could give hackers broad access to compromised systems, and cause all kinds of information security issues, including denial of service attacks. There are suggestions this is a huge, global problem that will have ripple effects for years.

I have had a handful of emails from companies who have effectively said, “we’re good.” But a handful among literally 100s of companies. Those who have put out “we’re unaffected” statements include OptiSigns, BroadSign, Appspace, Yodeck, Intuiface, ProDVX and Navori.

That does not mean other companies are staying quiet because they’re busy sorting out the problem. It may mean nothing of the sort. But giant companies like Microsoft, Cisco and Amazon are affected, so it stands to reason there are companies in the digital signage ecosystem who might have an issue, given the widespread use of Log4j.

OptiSigns sent around a note saying:

This has impacted many companies, but we want to let you know that we are safe and not impacted by this Log4j vulnerability after a thorough analysis  performed by our engineering team. Log4j is a common Java library for logging. We are not using Java on our servers. We do use Java-based services for logging and caching for search in a separated cluster, but it is not impacted by this Log4j vulnerability either after review.

Capital Networks has said:

The recent Log4j vulnerability issue has affected many digital signage solution providers and their customers. Capital Networks would like to assure our partners and end users that the solutions provided by our company have not been affected.  Our development team has confirmed that the Log4j package is not a part of the core Apache server used by Capital Networks and is not installed in any of our server or client environments.

Log4J is maintained by the open-source Apache Software Foundation, and there is a page dedicated to exposing issues and outlining remedies.

BroadSign on its company blog has a brief but useful explainer:

In early December, a vulnerability in the log4j open-source logging library, called “Log4Shell,” was detected. Log4j is a library used widely by technology companies around the world, and Log4Shell enables bad actors to exploit this library to execute remote code on vulnerable servers with relative ease.

I have been watching this for 2-3 days but have been reluctant to write much about it, simply because it is coding stuff that is way over my head. Intuiface and a few other companies – like SignageLive and Samsung (for MagicInfo) – have high-level ISO 27001 information security certification, but most don’t. 

Has your company been affected? I am thinking companies that have been affected might be gun-shy to say much, but it is probably better to be clear about where things are at and what’s being done about it. Customers will ask.

Update: Screenly, Capitol Networks, Real Digital Media Embed Signage, Omnivex and Stratos Media have sent notes saying they are unaffected. Easescreen and POS Screen have also since said they are OK.

I am sure there are many others who are also unaffected. Kiosk industry-watcher Craig Keefner has suggested in the comments that end-users and resellers ask: #1 do you run java-based apps. #2 whether Plesk is one of your installed cpanels for your apache, and #3 is it an older version with Tomcat (17.7 and earlier)

  1. craig Allen keefner says:

    The question users can ask is #1 do you run java-based apps. #2 whether Plesk is one of your installed cpanels for your apache, and #3 is it an older version with Tomcat (17.7 and earlier)

  2. Ken Goldberg says:

    Please add RDM’s NEOCAST to the unaffected list. None of our software uses Log4j.

  3. Brian Hammett says:

    Hi Santa (Dave), Please add StratosMedia to the your Good List as we do not use Log4j in any component including all , cloud based architcture or native applications

  4. Elvira Bracci says:

    X2O Media is not affected. The X2O Platform software (including OneRoom and X2O Players) does not use any java code and is therefore not affected by the issue.

  5. Olivier Duizabo says:

    Ditto for Quividi: our applications do not use any Java code and are therefore not directly affected by this vulnerability. This applies equally to our edge solution, VidiReports and to our back-office solution, VidiCenter.

  6. Thomas Fraser-Bacon says:

    Likewise, Allsee’s CMS platform My Signage Portal is unaffected by this vulnerability. Thanks for pointing this out Dave, there are a plethora of security-related issues that people in the industry should be clued up on.

  7. Nicolas Meyer says:

    After having thoroughly researched the exposure of SpinetiX to this vulnerability, I can confirm that SpinetiX products are not affected in any way by log4j. More information on our Support Wiki: https://support.spinetix.com/wiki/Apache_Log4j_vulnerability

Leave a comment