Security breach “Log4Shell”

Currently, a critical vulnerability in the logging library for JAVA applications log4j is increasingly being used for cyber attacks. By logging a specific string, remote code execution is made possible. The security vulnerability is listed under the term “Log4Shell”. All RetailForce systems (RetailForce Cloud, Fiskal Client,…) are free of this security vulnerability, as no JAVA-based services are being used.

According to our information, the Fiscal Cloud Connectors (FCC) of Cloud TSEs of the providers swissbit and Deutsche Fiskal are affected by “Log4Shell”. According to swissbit / Deutsche Fiskal, external tools of the AZURE environment of the TSE web services as well as the central cloud applications were assessed according to the current state of the art and classified as non-critical. Physical TSEs (“hardware TSE”) are also not affected by the vulnerability.

Recommendation on the part of the Cloud TSE providers:

Check of the Fiscal Cloud Connector (FCC).
To immediately fix the vulnerability, we strongly recommend all customers to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true on the account running the FCC application. The FCC service must then be restarted afterwards.
For all customers who cannot perform this procedure, we will provide an update of the FCC as soon as possible as version 3.2.4, which will perform the adjustment of the environment variables during the update process.

Statement DF on BSI CVE-2021-44228

Further information can be found in the BSI publication (“Critical vulnerability in log4j published”): https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf?__blob=publicationFile&v=3

Complete statement / customer information of Deutsche Fiskal (DF):

Dear users of the Fiskal Cloud,
On behalf of DF Deutsche Fiskal GmbH, we would like to provide you with an update on the current security situation with regard to the security notice published by the BSI on 11.12.2021 (BSI: CVE-2021-44228).
DF Deutsche Fiskal GmbH also uses JAVA based services and therefore cannot exclude that its systems might be affected.
Within the scope of a task force the following measures have been defined and partly already implemented. Details on this as of 13.12.2021 are given below:

Check all external JAVA-based services/tools:
According to current knowledge, the security measures recommended by the BSI and the manufacturers have been implemented for the external tools in the AZURE environment.
(STAT 12/13/21: Done).

Check of Bundesdruckerei’s central TSE web service:
D-Trust GmbH, as a subsidiary of Bundesdruckerei and operator of the TSE web service, has confirmed in a preliminary information that the aforementioned “log4j logger” is not used in the central TSE web service environment.
(STAT 12/13/21: Done).

Check of all internal central Fiscal Cloud applications:
According to initial findings, the prerequisite for exploiting the vulnerability is that the Log4j 2 parameter “formatMsgNoLookups” must be set as a value of “false” and a Java Runtime 8 Update 191 or 11.0.1 or older is in use for the exploit to work. For newer versions, the exploited functionality is disabled by default by the Java Runtime.
However, since there are ways to bypass the JDK protection, all Fiscal Cloud services have been additionally reconfigured to prevent the exploit from working in order to increase security. Furthermore, in FCC version 4.0.0. the new library (from version 2.15) will be used to increase the protection again. die neue Bibliothek (ab Version 2.15) genutzt werden, um den Schutz nochmals zu erhöhen.
(STAT 12/13/21: Done).

Check of the Fiscal Cloud Connector (FCC).
To immediately fix the vulnerability, we strongly recommend all customers to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true on the account running the FCC application. The FCC service must then be restarted afterwards.
For all customers who cannot perform this procedure, we will provide an update of the FCC as soon as possible as version 3.2.4, which will perform the adjustment of the environment variables during the update process.

We are continuing the analyses and as soon as new findings are available, we will inform you immediately.

With kind regards
Your DF Support Team

Important Fiscal Cloud customer information / statement DF on BSI CVE-2021-44228

We recommend that all users of the Fiscal Cloud Connector take the steps recommended by DF to close the vulnerability.

Firmware Update Swissbit Hardware TSE

A firmware upgrade is available for the Swissbit hardware TSE. We recommend that all customers who use a Swissbit hardware TSE in Germany to comply with the KassenSichV and received it before 01 July 2021 upgrade to the current firmware. According to swissbit, the new firmware (version 1.1.0.) increases product reliability and should be installed to prevent hardware defects that may occur in rare cases.

The functionality of the TSE is not affected by the firmware update, downward compatibility is confirmed by swissbit. The testing of the new software version by the BSI has already been successfully completed.

Replacement of TSE, in case of hardware defects will only be carried out if they already contain the new firmware. In principle, Swissbit only delivered TSEs with the new firmware version after 01 July 2021. Due to scheduling overlaps in hardware shipping, it cannot be ruled out that TSEs with older firmware still arrived at customers shortly after 01 July.

We therefore recommend checking the firmware version of swissbit hardware TSEs in use.

We have created a solution article for you in the RetailForce Support Portal, which describes how to check the firmware version of the TSE and perform the firmware update. You can find the article at: https://support.retailforce.cloud/hc/de/articles/4411327044497-Firmware-Update-swissbit-Hardware-TSE-1-1-0-

The new firmware version can be found in the download section of the RetailForce website at: https://www.retailforce.cloud/downloads/Swissbit/TseFirmwareUpdate/