HELP24 HOTLINE

Postilion - Log4J Vulnerability – CVE-2021-

44228
December 14, 2021

At a glance… The security community has announced the

discovery of a zero-day vulnerability that can
• What is affected?
exploit the logging framework via the popular
• BINServices Java logging library log4j2, which can result in
• Token Vault API Remote Code Execution (RCE) by logging a
• RTFW (only when Log4JScribe is certain string.
enabled)
• CardManagementServices Workaround
• FleetCardManagementServices
• eSocket.Web System properties can be set that remediates
• Payments API the vulnerability as a short-term solution.
• eSocket.POS v3.0
• Token Engine Components
Configuration change is required on all
• What is affected? servers that run an affected Postilion
application.
The security community has announced
the discovery of a zero-day vulnerability
that can exploit the logging framework via A restart of Postilion services will be required
the popular Java logging library log4j2, for the property to take effect.
which can result in Remote Code
Execution (RCE) by logging a certain Further details on the required configuration
string. can be found below.
• What action(s) must be taken? Permanent Solution
Short-term:See Workaround section.
ACI will be releasing patches for Postilion
Permanent Solution: ACI will be components affected by the vulnerability.
distributing patches for affected Target dates for the release of the patches are
components to address the vulnerability. still to be communicated.

If you have any questions concerning the content of this notice, please open a case via
the HELP24 eSupport portal at www.aciworldwide.com/support.

Configuration Changes for Remediating Log4J Vulnerability

The configuration change required for addressing the Log4J vulnerability in the short term involves adding
a system property to the operating system. The property to be set is dependent on the version of Postilion
that is running. There are two steps to perform:

© Copyright ACI Worldwide, Inc. 2019

ACI, ACI, ACI Worldwide, ACI Payments, Inc., ACI Pay, Speedpay and all ACI product/solution names are trademarks
or registered trademarks of ACI Worldwide, Inc., or one of its subsidiaries, in the United States, other countries or both.
Other parties’ trademarks referenced are the property of their respective owners.
Postilion - Log4J Vulnerability – CVE-2021-44228
December 14, 2021

1. Identify the version of Log4J in use.

2. Set the applicable system property depending on the version.

Determining Log4J Version:

Save the following commands in a batch file to output version in a text file:

cd %postiliondir%
dir /s *log4j*.jar > C:/temp/find_log4j_lib_output.txt

The output of the command will list the Log4J jar file in use and its version number.

Configuration Change:

The change needs to be made on all servers running an affected Postilion application. All affected
Postilion services must be restarted after the change.

Version Remediation

2.10
Setting either the system property log4j2.formatMsgNoLookups or the environment
and greater
variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

PatternLayout patterns can be modified to specify the message converter as

%m{nolookups} instead of just %m. This is done by modifying the Log4Scribe
configuration in the cfg_system_properties database table.

2.7 to Note: A default installation of Postilion does not utilize the Log4Scribe. If an entry is
2.14.1 present, it would have been added as a manual entry.

If Log4jScribe is in use, update its custom class parameters to specify

“pattern_layout=[%p] %m{nolookups} %throwable”, or change any “%m” in a
pattern_layout already specified into “%m{nolookups}”.

2.0beta9 to Remove the JndiLookup class from the classpath:

2.7 zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

1.0
No impact. No remedial action required.
(all versions)

Page 2 of 2