NCR Software Update – Apache Log4j

 
Date: December 15, 2021; Updated: December 20, 2021.

We want to ensure you have the most current information on a series of vulnerabilities discovered within Apache Log4j.

Apache Log4j 2 is an industry-wide and very commonly used Java library, which many Java applications and server software use for logging. Select NCR Banking software products make use of the Log4j 2 library.

NCR assessed our usage of the Log4j library and applied containment measures where needed. As more details and patches have been provided by the IT community at large, NCR has implemented remediation efforts for the impacted solutions. NCR has been and will continue to work with customers, partners and vendors to mitigate the potential issue.

NCR systems and operations are functioning normally. We will continue to prioritize protecting our customers and their data.

NCR Digital Banking

NCR has assessed its usage of the Log4j 2 library in its Digital Banking software products and has identified and executed the appropriate remediation actions on external facing systems. All Digital Banking systems are operating normally with no impact to customers and there is no action required by NCR Digital Banking customers.

Other NCR Banking Software

Select Banking Software products that make use of the Log4j 2 library and mitigations have been identified and executed to prevent the exploitation of the vulnerability. This is the current list of identified solutions that are impacted by the Log4j 2 vulnerabilities:

 

Product

Versions Impacted

Passport

3.15 and later

Transaction Gateway

All 4.x and 3.4.x WST + TM, LOW 4.3.0

Vision

Vision 4.13 and later (Including MESH 2.8.0 GA onwards)

Authentic

4.2.00 and later

Terminal Handler

V 1.1 (Including MESH 2.8.0 GA onwards)

Cash Management

9.09 - 9.12

Archive

WebView 6.2.0 & 6.2.1

Clear

6.01.00 and later

Inetco Insight

7.3, 7.4

Solidcore (EPO)

ePolicy Orchestrator (ePOS) 5.10 CU 11

 

NCR has enacted mitigation actions for these products in our Managed Services, SaaS and other hosted environments.

For NCR banking customers who are operating these solutions in an on-premise deployment, NCR advises that you urgently contact NCR through your normal support channel to receive guidance on the remediation actions.


Additional Resources

The US Cybersecurity & Infrastructure Security Agency has issued guidance: US Cybersecurity & Infrastructure Security Agency