Over this past weekend NIST announced a recent vulnerability in the Apache Log4j library, a Java library for logging error messages in applications. This has raised concern across the landscape about the impact, and more specifically, what the impact is within Retail Pro developed products.
First and foremost, Retail Pro International takes the topics of data and system security very seriously. Many businesses around the world rely upon Retail Pro to run their business, and therefore security is a real concern.
We can start out by saying, Retail Pro developed products do not utilize the Apache Log4j library. We do not take advantage of that interface, nor do we implement any code that would connect to Log4J from Retail Pro Prism. While Log4J is used in several Apache products, Log4J is not used in the Apache HTTPD server, which is used by Retail Pro. Despite Retail Pro not using this library, it is possible to see instances of this library within the Oracle installation.
Oracle does deploy Log4J in relation to the JRE implementation in an Oracle server. Our Oracle servers will contain several different copies of the log4j-core.jar and a single copy of the log4j-1.2.13.jar file. These are deployed by Oracle and according to documentation would not be active in an OOBE installation of Retail Pro Prism or Retail Pro 9.
For details on how to remove these Oracle instances of Log4j, please reach out to your Retail Pro Support team. Again, Retail Pro developed products are not using the Log4j library.
It is always prudent to keep your applications up to date with the most current released versions, but this is especially important when it comes to security. If you are not on the most current versions of your Retail Pro software, we recommend upgrading to ensure you are protected and running the latest Retail Pro technology.
Of course, system and business security does not solely rely upon an application developer, like Retail Pro International, ensuring their applications are secured. Infrastructure management and security is also of great importance. Keeping your technology infrastructure secure is critical in combatting vulnerabilities and threats like that of Log4j, as well as others. It is highly recommended to routinely review your systems, as well as audit your backup and recovery policies and processes to ensure you are protected and can recover your systems should the need arise.
We will be keeping a close eye on this vulnerability as more information develops, while also working to ensure all of our third-party technology partners are taking necessary precautions as well.
