Dear customers,

You have probably heard from the daily press that the Federal Office for Information Security (BSI) is currently issuing a new warning level.
According to the BSI, the critical vulnerability (Log4Shell) in the widely used Java library Log4j leads to an extremely critical threat situation. The BSI has therefore upgraded its existing cyber security warning to warning level red. The reason for this assessment is the very widespread use of the affected product and the associated effects on countless other products.

First of all, it is important to note that the ZEISS Group takes such warnings very seriously and that the safety of our products has the highest possible priority.

However, we would like to assist you with regard to the warning from the BSI and transparently take away your understandable concerns.

What can we say about our products at the moment:

• The investigations, into the extent to which ZEISS products are affected by the fundamental concerns of the BSI in question, are constantly carried out at ZEISS, regardless of reports from the daily press, so that it is always up to date.
• The present ZEISS IQS applications in particular are not developed on the basis of Java and therefore do not contain any components that are subject to the current security warning issued by the BSI.
• Of course, we will keep you informed as usual as part of our ongoing security analyzes.
• Should you find out about any security problems yourself, we ask you to inform us about this as soon as possible.

For the products listed below (not exhaustive), we can, after analysis, based on the BSI's opinion on the threat to (CVE-2021-44228), exclude the possibility that there is a risk in this regard. The reason for this is that no “Log4J” is implemented in the products.

According to the knowledge currently available to us, there is no threat to the current releases and the third-party components they contain in relation to the security warning issued by the BSI.

The products analyzed are as follows:

ZEISS ACCTee Pro
ZEISS AirSaver
ZEISS BLADE PRO
ZEISS CALIGO
ZEISS CALYPSO
ZEISS CMM-OS
ZEISS CMM-OS NEO
ZEISS FixAssist CT
ZEISS GEAR PRO
ZEISS iDA
ZEISS License Management Tool
ZEISS MCC
ZEISS METROTOM OS
ZEISS NEO pixel
ZEISS NEO select
ZEISS PiWeb
ZEISS PiWeb Cloud
ZEISS REVERSE ENGINEERING
ZEISS Smart Services Dashboard
ZEISS Stylus System Creator
ZEISS TEMPAR
ZEISS ZAPHIRE
ZEISS ABIS Softwarepakete
ZEISS ABIS Planner
ZEISS Intact 1200 /1600 Software
ZEISS Colin 3D
ZEISS T-Scan Collect (Interface)
ZEISS HOLOS
VISIO7
ZEISS SES viewer
ZEISS NEO viewer
NZDI
ZEISS CMM Agent
ZEISS DeviceActivator
ZEISS Tracer Service

The C99 firmware used in the measuring machines does not use a Log4j library. All measuring machines in which the firmware is used are therefore not affected by the security gap.

This list is not exhaustive and will be expanded if necessary after a corresponding safety-relevant analysis.

This announcement is based on the status on January, 12, 2022 12:00 p.m.

We are happy to answer your questions with our product support team (info .metrology .us @zeiss .com) and our security department.