Currently, a critical vulnerability in the logging library for JAVA applications log4j is increasingly being used for cyber attacks. By logging a specific string, remote code execution is made possible. The security vulnerability is listed under the term “Log4Shell”. All RetailForce systems (RetailForce Cloud, Fiskal Client,…) are free of this security vulnerability, as no JAVA-based services are being used.
According to our information, the Fiscal Cloud Connectors (FCC) of Cloud TSEs of the providers swissbit and Deutsche Fiskal are affected by “Log4Shell”. According to swissbit / Deutsche Fiskal, external tools of the AZURE environment of the TSE web services as well as the central cloud applications were assessed according to the current state of the art and classified as non-critical. Physical TSEs (“hardware TSE”) are also not affected by the vulnerability.
Recommendation on the part of the Cloud TSE providers:
Check of the Fiscal Cloud Connector (FCC).
Statement DF on BSI CVE-2021-44228
To immediately fix the vulnerability, we strongly recommend all customers to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true on the account running the FCC application. The FCC service must then be restarted afterwards.
For all customers who cannot perform this procedure, we will provide an update of the FCC as soon as possible as version 3.2.4, which will perform the adjustment of the environment variables during the update process.
Further information can be found in the BSI publication (“Critical vulnerability in log4j published”): https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile&v=3
Complete statement / customer information of Deutsche Fiskal (DF):
Dear users of the Fiskal Cloud,
Important Fiscal Cloud customer information / statement DF on BSI CVE-2021-44228
On behalf of DF Deutsche Fiskal GmbH, we would like to provide you with an update on the current security situation with regard to the security notice published by the BSI on 11.12.2021 (BSI: CVE-2021-44228).
DF Deutsche Fiskal GmbH also uses JAVA based services and therefore cannot exclude that its systems might be affected.
Within the scope of a task force the following measures have been defined and partly already implemented. Details on this as of 13.12.2021 are given below:
Check all external JAVA-based services/tools:
According to current knowledge, the security measures recommended by the BSI and the manufacturers have been implemented for the external tools in the AZURE environment.
(STAT 12/13/21: Done).
Check of Bundesdruckerei’s central TSE web service:
D-Trust GmbH, as a subsidiary of Bundesdruckerei and operator of the TSE web service, has confirmed in a preliminary information that the aforementioned “log4j logger” is not used in the central TSE web service environment.
(STAT 12/13/21: Done).
Check of all internal central Fiscal Cloud applications:
According to initial findings, the prerequisite for exploiting the vulnerability is that the Log4j 2 parameter “formatMsgNoLookups” must be set as a value of “false” and a Java Runtime 8 Update 191 or 11.0.1 or older is in use for the exploit to work. For newer versions, the exploited functionality is disabled by default by the Java Runtime.
However, since there are ways to bypass the JDK protection, all Fiscal Cloud services have been additionally reconfigured to prevent the exploit from working in order to increase security. Furthermore, in FCC version 4.0.0. the new library (from version 2.15) will be used to increase the protection again. die neue Bibliothek (ab Version 2.15) genutzt werden, um den Schutz nochmals zu erhöhen.
(STAT 12/13/21: Done).
Check of the Fiscal Cloud Connector (FCC).
To immediately fix the vulnerability, we strongly recommend all customers to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true on the account running the FCC application. The FCC service must then be restarted afterwards.
For all customers who cannot perform this procedure, we will provide an update of the FCC as soon as possible as version 3.2.4, which will perform the adjustment of the environment variables during the update process.
We are continuing the analyses and as soon as new findings are available, we will inform you immediately.
With kind regards
Your DF Support Team
We recommend that all users of the Fiscal Cloud Connector take the steps recommended by DF to close the vulnerability.