log4j vulnerability in Oracle Payment Interface

[colinmcleod]

Does anyone have the OPI 20.3.0.4 installer? I'm going to perform their log4j mitigation steps but I'm still on 6.2 so was hoping to upgrade to absolute latest version. I checked the Oracle Software Delivery but it's still only OPI 20.3.0.0

 

[Niko S]

https://aru-akam.oracle.com/adcarur...m=1640222293_e7373b9e858718f7273b0e0494dc1e08

 

[Niko S]

https://support.oracle.com/epmos/fa...alue="false"/></Search>"/>

 

[Niko S]

You can download the 20.3.0.4 from the link.

 

[colinmcleod]

A dang I lack the entitlement. Oracles mitigation is the following but it doesn't seem to do anything? Do you happen to know what their goal with this was? Is it meant to take and zip the log4j jars removing them?

Changes Required for Oracle Payment Interface (OPI) Version 19.1 or Version 6.2 running with Oracle Hospitality Point of Sale Products

This remediation is only required for users of Oracle Hospitality Point of Sale Products that also use OPI.

Complete the following steps on each machine where OPI in installed.

1. The commands listed in the instructions use 7zip. Make sure 7zip is installed under “c:\Program Files\7-Zip”. If you do not have 7zip installed, you can download it from

https://www.7-zip.org/download.html.

If you have 7zip installed under a different folder, adjust the path of 7zip in the command to match the folder where 7zip is installed. See step 9 for details. It is also important to note that if you are planning to copy and paste the commands listed in the instructions below please always copy and paste them into a notepad first to avoid unwanted formatting characters to be copied into the command, and for a single line command please make sure they stay within one line, before copying and pasting the command into Windows command line for execution.

2. Open a Windows Command line as an Administrator.

3. Stop OPI services by executing the below three commands one by one:

sc stop OPIService
sc stop OPIConfigService
sc stop UtilityService

4. Make sure the OPI configurator is closed.

5. Create a folder using the following command:

mkdir C:\OraclePaymentInterfaceLog4jRemediation

6. Go to the OPI installation folder (use the environment variables OPI_HOME to determine your drive and folder names): cd [drive]:\OraclePaymentInterface

7. List and log existing log4j-core jar files (please note this is a single one-line command):

dir log4j-core* /b/s >> C:\OraclePaymentInterfaceLog4jRemediation\RemediationLog.txt

8. Make a backup of the existing log4j-core jar files (please note this is a single one-line command):

FOR /F %i IN ('dir log4j-core* /b/s') DO if not exist C:\OraclePaymentInterfaceLog4jRemediation\log4j-core* (copy %i C:\OraclePaymentInterfaceLog4jRemediation >> C:\OraclePaymentInterfaceLog4jRemediation\RemediationLog.txt
) else (break)

9. Run the following command, making sure to change the path of 7zip highlighted below if 7zip is installed under a different folder on your computer (please note this is a single one-line command):

FOR /F %i IN ('dir log4j-core* /b/s') DO "c:\Program Files\7-Zip\7z.exe" d –r %i JndiLookup.class >> C:\OraclePaymentInterfaceLog4jRemediation\RemediationLog.txt

10. Start the OPI services by executing the following three commands in order:

sc start UtilityService
sc start OPIConfigService
sc start OPIService

 

[colinmcleod]

Ah k, I think it's attempting to open the JAR files as an archive and delete the JndiLookup.class file. It doesn't appear to do that though as I've tested and the vulnerability is still there.

So I assume the class is included with the library but not in use by OPI.

 

[colinmcleod]

I ended up using log4fix against the log4j-core-2.8.2.jar and OPI is working just fine and the vulnerable class is gone.