There is currently a vulnerability in "log4j" (BSI reference: CVE-2021-44228) that is rated critical by the BSI. The vulnerable versions of the "log4j" library are 2.0 up to and including 2.14.1.
We would like to hereby inform you that our products are not affected by this vulnerability. In the following we would like to explain the reasons for this:
Banking
Our offline banking products (CoinRoll 123, MultiServ xx, CoinIn 3xy, SafeBag 9xy) use their own log system instead of the log4j library. Therefore, the described attack scenarios have no effect with these products.
HESS only provides the XFS framework and XFS drivers in the online context for the CoinIn 3x5 products, which also do not use log4j but their own system. For any questions regarding the use of the Apache Log4j Library in the online software installation of the CoinIn devices (Atruvia/FinanzInformatik), please contact your responsible contact person at the respective data centers.
Payment systems
Our products of the Multipay ATM series and their MultiControl controller as well as the HESS payment system use their own log system and are therefore not vulnerable.
MPA customers
HESS MPA is operated on servers that rely on their own log system. Therefore, this product is also secure and not vulnerable to CVE-2021-44228.