Log4j Security Update

Dear Valued Partners,

Late this week Case Financial became aware of a critical security vulnerability (CVE-2021-44228, CVE-2021-45045 and CVE-2021-45105) in Apache Log4j, which is a popular logging library commonly used by Java-based applications. Additional information on this particular vulnerability can be accessed at the CISA website https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance.

Immediately upon learning of the vulnerability, we opened an investigation into our internal platforms as well as all of our vendor’s product and security support staff, to determine what products Case offers, if any, may have the potential to contain this vulnerability.

Internal Investigation: Our internal investigation and scans have determined that Case Financial is not using any of the affected versions of Apache Log4j and all internal systems and processes are free from this threat. 

External Investigation (Vendors): Inquiries and assurances from the majority  of our vendors indicate that most of our major OEMs product offerings are free of the vulnerability including:

  • ATEC
  • LG
  • CIMA
  • Add-On Technologies (Dynacash/Dynacore)
  • Triton ATMs
  • NCR ATM Hardware
  • NCR Edge & Activate Enterprise Software
  • March Networks
  • Verint
  • DMP
  • Digital Watchdog
  • Pacom
  • ECI
  • CoorWorks
  • Cencon/KabaMas
  • CSG Remoteview

Case has been informed by one of our vendors that users of the following three software products may be subject to this vulnerability and should consider applying the appropriate patches, if needed, as soon as practicable:

  • Passport (Server): Versions 3.15 and Later
  • Transaction Gateway: All 4.x and 3.4.x WST + TM, LOW 4.3.0
  • Vision: Version 13 and later (Including MESH 2.8.0 GA onwards)

If your organization is utilizing any of these product lines, please find additional information from NCR concerning these products and mitigation instructions below.

Case Financial cares deeply about the  security of our customers and our ability to provide the best products and services available. We look forward to answering any additional questions or concerns that you may have.

 

December 17, 2021

Update to Banking Channel Partners for Apache Log4j 2 Vulnerability (CVE-2021-44228)

NCR is aware of the zero-day industry-wide Log4J vulnerability outlined by the CVE-2021-44228 advisory at https://nvd.nist.gov/vuln/detail/CVE-2021-44228. The vulnerability is exploiting an industry-wide used logging library that developers use to keep a record of activity within an application. It is limited to affecting select versions of a single open-source software component, specifically Log4j versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 used by some Java software.

NCR quickly assessed our usage of the Log4j library and applied containment measures where needed. As more details and patches have been provided by the IT community at large, NCR has implemented remediation efforts from the edge inward. NCR has been and will continue to work with customers, partners and to mitigate the potential issue.

Select Banking Software products that make use of the Log4j 2 library and mitigations have been identified and executed to prevent the exploitation of the vulnerability.

This is the current list of identified solutions that are impacted by the Log4j2 vulnerability:

ProductVersions Impacted
Passport (Server)3.15 and later
Transaction GatewayAll 4.x and 3.4.x WST + TM, LOW 4.3.0
VisionVision 4.13 and later

(Including MESH 2.8.0 GA onwards)

 

NCR has enacted mitigation actions for these products in our Managed Services, SaaS and other hosted environments.  If you are accessing these solutions as a Managed Service via SaaS or other hosted environments, there is no action required.

For NCR banking customers who are operating these solutions in an on-premise deployment, NCR advises that you urgently contact your channel account manager to receive guidance on the remediation actions.

We are aware of zero-day (newly discovered) vulnerability in non-NCR software called Log4j. The vulnerability is exploiting an industry-wide used logging library that developers use to keep a record of activity within an application.