Response to CVE-2021-44228

Notice from Extenda Retail

Updated 10/02/202 – 10:45 AM CET
Extenda Retail continuously monitors for any vulnerabilities in third party code. We are aware of additional security vulnerabilities in LOG4J which has resulted in multiple patch releases. We continue to work closely with our customers that have Java in their environments and will tailor advice as per needs basis.
 

Updated 14/12/2021 – 14:05 PM CET

What Extenda Retail products are potentially vulnerable?
Retail Suite

  • The complementary RS component Elasticsearch has been evaluated as not vulnerable by the vendor. See the statement from Elastic here.
  • There are vulnerable versions of the complementary RS component Jaspersoft. See the communication on impacted versions and how to mitigate from Tibco Jaspersoft here.

 

Updated 13/12/2021 – 12:52 PM CET
 
What Extenda Retail products are potentially vulnerable?
Retail Suite
  • The complementary RS component Elasticsearch has been evaluated as not vulnerable by the vendor. See the statement from Elastic here.
  • The complementary RS component Jaspersoft is under investigation. No guidance related to this vulnerability has been published by the vendor.

 

First published 12/12/2021. Section «Mitigating factors» Last updated 15/12/2021 – 15:30 PM CET

On Dec 9 2021, a zero day vulnerability was announced which affects the world’s most widely adopted logging framework for Java, log4j. The vulnerability allows for the remote execution of arbitrary code, which can allow the attacker to take control of the vulnerable host system. As a provider of Java based software, Extenda Retail is treating this vulnerability as critical, and working expeditiously to provide information and software updates to mitigate the risk and potential impact to our customers.

Who is at risk of being impacted?

Systems which run Java software applications which make use of the log4j logging library. According to the official log4j site, all versions prior to 2.15.0 are vulnerable. Version 2.15.0 was first released Dec 6, 2021.

Mitigating factors

While this is a developing issue, current security research indicates that risk mitigation is possible until the vulnerable log4j software can be replaced with version 2.15.0 or above.

According to the log4j official site: For all versions of log4j 2.x to 2.14.0 the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class 

Despite previous guidance from log4j maintainers, they now consider the following to be insufficient mitigation measures:

  • 1: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, 

or

  • modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.

The vulnerability in part is exploited by making a call to the Java Naming and Directory Interface (JNDI) API. According to security researchers, running versions of Java Runtime Environment JRE 1.8.0_191 and higher should mitigate the ability of the attacker to exploit the vulnerability through the JNDI API. Technical details can be found here

Extenda Retail Recommendations

All Extenda Retail customers are encouraged to check the version of Java running on their host systems. All Extenda Retail software is able to operate on versions of Java Runtime Environment JRE 1.8.0_191 and higher. Please contact your Extenda Retail Client Executive if you have questions about upgrading your Java version. Extenda Retail is proactively reaching out to our customers to ensure that they are aware of this vulnerability and prepared to take a response. 

Many of our customers operate with network perimeter security defenses. Limiting inbound traffic from the public internet to only trusted sources will greatly limit the exposure of vulnerable systems. Outbound traffic also serves to protect vulnerable end-points.Please work with your IT network operations teams to identify vulnerable hosts and ensure that they are not exposed to the public internet.

What Extenda Retail products are potentially vulnerable?

Our Java based products include Extenda Retail POS, Centraloffice and supporting POS products.

What Extenda Retail products are NOT vulnerable?

  • Extenda Payments Service (EPS)
  • Hii Retail SaaS products
  • Relevate hosted services
  • Pharma Suite, Pharma Suite Online, Pharma Suite Dose, and Pharma Order Management System
  • The complementary RS component Elasticsearch has been evaluated as not vulnerable by the vendor. See the statement from Elastic here.

Additional updates will be made available here on an ongoing basis. 

What to expect from Extenda Retail 

Extenda Retail treats all critical security threats with the utmost urgency. Whether those threats are in the application code we develop, or as in the case with log4j, a software dependency that we rely on. Our number one priority is to provide a secure new release to our customers as soon as one can be made available. We began the work as soon as the CVE was announced on Dec 9, and will continue the development as our only and top priority until a release is made available to all affected customers.

We are here to assist you in maintaining secure retail operations. Extenda Retail is contacting all customers which are potentially vulnerable, and we are here to ensure that your questions are answered. All additional details and plans will be communicated directly over secure private channels.   

Need assistance?

Contact our team

Get in touch

We’d love to get to know you! Please reach out to us to learn more about Extenda Retail and how we can help transform your business.
  • Read our Privacy Policy here