You have probably heard from the daily press that the Federal Office for Information Security (BSI) is currently issuing a new warning level.
According to the BSI, the critical vulnerability (Log4Shell) in the widely used Java library Log4j leads to an extremely critical threat situation. The BSI has therefore upgraded its existing cyber security warning to warning level red. The reason for this assessment is the very widespread use of the affected product and the associated effects on countless other products.
First of all, it is important to note that the ZEISS Group takes such warnings very seriously and that the safety of our products has the highest possible priority.
However, we would like to assist you with regard to the warning from the BSI and transparently take away your understandable concerns.
What can we say about our products at the moment:
• The investigations, into the extent to which ZEISS products are affected by the fundamental concerns of the BSI in question, are constantly carried out at ZEISS, regardless of reports from the daily press, so that it is always up to date.
• The present ZEISS IQS applications in particular are not developed on the basis of Java and therefore do not contain any components that are subject to the current security warning issued by the BSI.
• Of course, we will keep you informed as usual as part of our ongoing security analyzes.
• Should you find out about any security problems yourself, we ask you to inform us about this as soon as possible.
For the products listed below (not exhaustive), we can, after analysis, based on the BSI's opinion on the threat to (CVE-2021-44228), exclude the possibility that there is a risk in this regard. The reason for this is that no “Log4J” is implemented in the products.
According to the knowledge currently available to us, there is no threat to the current releases and the third-party components they contain in relation to the security warning issued by the BSI.
The products analyzed are as follows:
ZEISS ACCTee Pro
ZEISS BLADE PRO
ZEISS CMM-OS NEO
ZEISS FixAssist CT
ZEISS GEAR PRO
ZEISS License Management Tool
ZEISS METROTOM OS
ZEISS NEO pixel
ZEISS NEO select
ZEISS PiWeb Cloud
ZEISS REVERSE ENGINEERING
ZEISS Smart Services Dashboard
ZEISS Stylus System Creator
ZEISS ABIS Softwarepakete
ZEISS ABIS Planner
ZEISS Intact 1200 /1600 Software
ZEISS Colin 3D
ZEISS T-Scan Collect (Interface)
ZEISS SES viewer
ZEISS NEO viewer
ZEISS CMM Agent
ZEISS Tracer Service
The C99 firmware used in the measuring machines does not use a Log4j library. All measuring machines in which the firmware is used are therefore not affected by the security gap.
This list is not exhaustive and will be expanded if necessary after a corresponding safety-relevant analysis.
This announcement is based on the status on January, 12, 2022 12:00 p.m.
The Industrial Metrology business group is a leading manufacturer of multidimensional metrology solutions. These include coordinate measuring machines, optical and multisensor systems and metrology software for the automotive, aircraft, mechanical engineering, plastics and medical technology industries. Innovative technologies such as 3D X-ray metrology for quality inspection round off the product portfolio.