Diebold Nixdorf continually monitors its client-facing information systems and networks, in addition to our own products, networks and information systems, for threats and vulnerabilities. On December 10, 2021, Apache published a security notice for a software component called Log4J (CVE-2021-44228) and rated the vulnerability as critical. The vulnerability can allow an unauthenticated attacker to gain complete access to a target system (via remote code execution). More information on this vulnerability can be found here.
Diebold Nixdorf’s Response - Diebold Nixdorf evaluated the vulnerability and its impact on our software and responded in line with our policies. Following our risk-based evaluation and processes, the company started providing hotfixes within 72 hours for this critical vulnerability for our impacted software products.
Apache’s response - Considering the severity of the initial vulnerability and the scale of the impacted systems, the Apache Log4j team quickly released v2.15.0 to patch the critical vulnerability (CVE-2021-44228). Subsequently, there was a new critical vulnerability found in this newly released version. This led Apache to release another update with version 2.16.0 (fixing CVE-2021-45046 with base CVSS score of 9.0 (Critical).
At the time of the release, all provided hotfixes for the impacted software are using log4j 2.16.0.
With the patches made available, Diebold Nixdorf has addressed the initial zero-day vulnerability CVE-2021-44228. Due to the ubiquitous nature of the incident and intense focus on Log4J, numerous security labs, users and open-source developers are taking a deeper look into the issue, especially at the lookup feature. As a result, there have been already four updated versions for log4j released in the weeks since the update has been released.
Diebold Nixdorf is committed to providing secure software to our customers. We are continuously monitoring the situation, contextualizing it to our software and performing risk assessments for any potential impact to our software products. Based on the severity of any identified vulnerabilities, Diebold Nixdorf will follow its security processes for remediation. For instance, medium and lower-risk vulnerabilities will be addressed as part of normal maintenance releases for the respective software products. Currently, all provided hotfixes for the impacted software are using log4j 2.16.0.