We want to ensure you have the most current information on a series of vulnerabilities discovered within Apache Log4j.
Apache Log4j 2 is an industry-wide and very commonly used Java library, which many Java applications and server software use for logging. Select NCR Banking software products make use of the Log4j 2 library.
NCR assessed our usage of the Log4j library and applied containment measures where needed. As more details and patches have been provided by the IT community at large, NCR has implemented remediation efforts for the impacted solutions. NCR has been and will continue to work with customers, partners and vendors to mitigate the potential issue.
NCR systems and operations are functioning normally. We will continue to prioritize protecting our customers and their data.
NCR has assessed its usage of the Log4j 2 library in its Digital Banking software products and has identified and executed the appropriate remediation actions on external facing systems. All Digital Banking systems are operating normally with no impact to customers and there is no action required by NCR Digital Banking customers.
Select Banking Software products that make use of the Log4j 2 library and mitigations have been identified and executed to prevent the exploitation of the vulnerability. This is the current list of identified solutions that are impacted by the Log4j 2 vulnerabilities:
Product |
Versions Impacted |
Passport |
3.15 and later |
Transaction Gateway |
All 4.x and 3.4.x WST + TM, LOW 4.3.0 |
Vision |
Vision 4.13 and later (Including MESH 2.8.0 GA onwards) |
Authentic |
4.2.00 and later |
Terminal Handler |
V 1.1 (Including MESH 2.8.0 GA onwards) |
Cash Management |
9.09 - 9.12 |
Archive |
WebView 6.2.0 & 6.2.1 |
Clear |
6.01.00 and later |
Inetco Insight |
7.3, 7.4 |
Solidcore (EPO) |
ePolicy Orchestrator (ePOS) 5.10 CU 11 |
NCR has enacted mitigation actions for these products in our Managed Services, SaaS and other hosted environments.
For NCR banking customers who are operating these solutions in an on-premise deployment, NCR advises that you urgently contact NCR through your normal support channel to receive guidance on the remediation actions.
The US Cybersecurity & Infrastructure Security Agency has issued guidance: US Cybersecurity & Infrastructure Security Agency