Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

log4j vulnerability in Oracle Payment Interface

Status
Not open for further replies.

colinmcleod

IS-IT--Management
May 30, 2016
32
CA
Does anyone have the OPI 20.3.0.4 installer? I'm going to perform their log4j mitigation steps but I'm still on 6.2 so was hoping to upgrade to absolute latest version. I checked the Oracle Software Delivery but it's still only OPI 20.3.0.0
 
A dang I lack the entitlement. Oracles mitigation is the following but it doesn't seem to do anything? Do you happen to know what their goal with this was? Is it meant to take and zip the log4j jars removing them?

Changes Required for Oracle Payment Interface (OPI) Version 19.1 or Version 6.2 running with Oracle Hospitality Point of Sale Products

This remediation is only required for users of Oracle Hospitality Point of Sale Products that also use OPI.

Complete the following steps on each machine where OPI in installed.

1. The commands listed in the instructions use 7zip. Make sure 7zip is installed under “c:\Program Files\7-Zip”. If you do not have 7zip installed, you can download it from If you have 7zip installed under a different folder, adjust the path of 7zip in the command to match the folder where 7zip is installed. See step 9 for details. It is also important to note that if you are planning to copy and paste the commands listed in the instructions below please always copy and paste them into a notepad first to avoid unwanted formatting characters to be copied into the command, and for a single line command please make sure they stay within one line, before copying and pasting the command into Windows command line for execution.

2. Open a Windows Command line as an Administrator.

3. Stop OPI services by executing the below three commands one by one:

sc stop OPIService
sc stop OPIConfigService
sc stop UtilityService

4. Make sure the OPI configurator is closed.

5. Create a folder using the following command:

mkdir C:\OraclePaymentInterfaceLog4jRemediation

6. Go to the OPI installation folder (use the environment variables OPI_HOME to determine your drive and folder names): cd [drive]:\OraclePaymentInterface

7. List and log existing log4j-core jar files (please note this is a single one-line command):

dir log4j-core* /b/s >> C:\OraclePaymentInterfaceLog4jRemediation\RemediationLog.txt

8. Make a backup of the existing log4j-core jar files (please note this is a single one-line command):

FOR /F %i IN ('dir log4j-core* /b/s') DO if not exist C:\OraclePaymentInterfaceLog4jRemediation\log4j-core* (copy %i C:\OraclePaymentInterfaceLog4jRemediation >> C:\OraclePaymentInterfaceLog4jRemediation\RemediationLog.txt
) else (break)

9. Run the following command, making sure to change the path of 7zip highlighted below if 7zip is installed under a different folder on your computer (please note this is a single one-line command):

FOR /F %i IN ('dir log4j-core* /b/s') DO "c:\Program Files\7-Zip\7z.exe" d –r %i JndiLookup.class >> C:\OraclePaymentInterfaceLog4jRemediation\RemediationLog.txt

10. Start the OPI services by executing the following three commands in order:

sc start UtilityService
sc start OPIConfigService
sc start OPIService
 
Ah k, I think it's attempting to open the JAR files as an archive and delete the JndiLookup.class file. It doesn't appear to do that though as I've tested and the vulnerability is still there.

So I assume the class is included with the library but not in use by OPI.
 
I ended up using log4fix against the log4j-core-2.8.2.jar and OPI is working just fine and the vulnerable class is gone.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top