Security Vulnerability CVE-2021-44228

Updated: Dec 16, 2021

Target Audience: On-Premises iManage Customers

On December 9 a new Apache vulnerability was released which has been categorised as a high-level vulnerability. It may impact major software solutions such as Apple, Amazon, Cloudflare, and iManage. It affects versions of Log4j 2.0-beta9 up to 2.14.1. iManage has identified that the IDOL, RAVN, Threat Manager and Security Policy Manager, and Records Manager products were affected. They have already applied the recommended solution to the cloud environment and the risk has been mitigated with zero impact to any iManage Cloud client data. For OIA / iManage on-premise customers, the impacted applications and versions are below. Important to note that only these newer versions are impacted, earlier versions of these platforms are not affected. The installed version of iManage applications can be found in Settings-Programs and Features, the About option in web-enabled applications, or the original installation files.

> iManage Preview Server 10.3.0.27 > iManage Work Indexer powered by IDOL 10.3.0.26 and later NOTE: this is only installed where customers have Security Policy Manager installed. Most customers will have IDOL 8.5SP3 and will not be affected > iManage Work Indexer powered by RAVN 10.3.x NOTE: if you have RAVN installed on-prem, it is likely you are on either version 10.2.x (not affected) or 10.3.x (affected) > iManage Records Manager 10.3.x and later

> iManage Security Policy Manager (All versions)

> iManage Threat Manager (All versions)

> iManage Work Server is not affected by this issue


If you believe you have these versions installed on-premises please contact OIA Support and we can assist.


The action required to remediate the vulnerability is a fairly straightforward change to a configuration file, but of course needs careful attention and due process - OIA will be happy to assist with the fix if needed. The full iManage Advisory is also available in iManage Help Center.

8 views