Log4j Security Update
Dear Valued Partners,
Late this week Case Financial became aware of a critical security vulnerability (CVE-2021-44228, CVE-2021-45045 and CVE-2021-45105) in Apache Log4j, which is a popular logging library commonly used by Java-based applications. Additional information on this particular vulnerability can be accessed at the CISA website https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance.
Immediately upon learning of the vulnerability, we opened an investigation into our internal platforms as well as all of our vendor’s product and security support staff, to determine what products Case offers, if any, may have the potential to contain this vulnerability.
Internal Investigation: Our internal investigation and scans have determined that Case Financial is not using any of the affected versions of Apache Log4j and all internal systems and processes are free from this threat.
External Investigation (Vendors): Inquiries and assurances from the majority of our vendors indicate that most of our major OEMs product offerings are free of the vulnerability including:
- Add-On Technologies (Dynacash/Dynacore)
- Triton ATMs
- NCR ATM Hardware
- NCR Edge & Activate Enterprise Software
- March Networks
- Digital Watchdog
- CSG Remoteview
Case has been informed by one of our vendors that users of the following three software products may be subject to this vulnerability and should consider applying the appropriate patches, if needed, as soon as practicable:
- Passport (Server): Versions 3.15 and Later
- Transaction Gateway: All 4.x and 3.4.x WST + TM, LOW 4.3.0
- Vision: Version 13 and later (Including MESH 2.8.0 GA onwards)
If your organization is utilizing any of these product lines, please find additional information from NCR concerning these products and mitigation instructions below.
Case Financial cares deeply about the security of our customers and our ability to provide the best products and services available. We look forward to answering any additional questions or concerns that you may have.
December 17, 2021
Update to Banking Channel Partners for Apache Log4j 2 Vulnerability (CVE-2021-44228)
NCR is aware of the zero-day industry-wide Log4J vulnerability outlined by the CVE-2021-44228 advisory at https://nvd.nist.gov/vuln/detail/CVE-2021-44228. The vulnerability is exploiting an industry-wide used logging library that developers use to keep a record of activity within an application. It is limited to affecting select versions of a single open-source software component, specifically Log4j versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 used by some Java software.
NCR quickly assessed our usage of the Log4j library and applied containment measures where needed. As more details and patches have been provided by the IT community at large, NCR has implemented remediation efforts from the edge inward. NCR has been and will continue to work with customers, partners and to mitigate the potential issue.
Select Banking Software products that make use of the Log4j 2 library and mitigations have been identified and executed to prevent the exploitation of the vulnerability.
This is the current list of identified solutions that are impacted by the Log4j2 vulnerability:
|Passport (Server)||3.15 and later|
|Transaction Gateway||All 4.x and 3.4.x WST + TM, LOW 4.3.0|
|Vision||Vision 4.13 and later|
(Including MESH 2.8.0 GA onwards)
NCR has enacted mitigation actions for these products in our Managed Services, SaaS and other hosted environments. If you are accessing these solutions as a Managed Service via SaaS or other hosted environments, there is no action required.
For NCR banking customers who are operating these solutions in an on-premise deployment, NCR advises that you urgently contact your channel account manager to receive guidance on the remediation actions.
We are aware of zero-day (newly discovered) vulnerability in non-NCR software called Log4j. The vulnerability is exploiting an industry-wide used logging library that developers use to keep a record of activity within an application.
- The newly reported issue is limited to affecting select versions of a single open source software component, specifically Log4j versions 2.0-beta9 to 2.14.1.
- A patch to address the issue has been made available: https://logging.apache.org/log4j/2.x/security.html
- The US Cybersecurity & Infrastructure Security Agency has issued guidance: https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
- NCR systems and operations are functioning normally.
- We will continue to prioritize protecting our customers and their data.
- We will keep you informed as we continue to monitor this industry-wide issue.
Featured Industry News
Save the Date – Hackers & Smackers Golf 7/25!
Save the Date for Monday, July 25 at the Oak Marsh Golf Course! Registration will be open mid-May. Stay tuned for more details! ...
New Card Skimmer Used in Successful Attacks in US
As a certified NCR partner, Case Financial has been notified of recent card skimming attacks on ATMs in the US. We want to ensure our clients are aware to help...
32nd Annual Hackers & Smackers Golf Scramble
A great big thank you to everyone who helped make the 2021 Hackers & Smackers Golf Scramble a huge success! Case Financial was very excited to host the 32nd annual...