RICOH ProcessDirector™

The RICOH ProcessDirector team provides these procedures to mitigate the effects of CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.

Ricoh understands the importance of security and is committed to managing its products and services with the most advanced security technologies possible for its customers worldwide, and released this statement to our customers.

All customers:

  • Virtually all current customers of RICOH ProcessDirector must update some part of your system to address these vulnerabilities.
  • Follow the procedure below the pink box to determine which parts of your system need to be updated and the actions required.

IF YOU ARE RUNNING RICOH PROCESSDIRECTOR 3.8.4 OR NEWER (including 3.9.x and 3.10):

  • Proceed to step 1 under the pink box to update your system.

IF YOU ARE RUNNING A VERSION OF RICOH PROCESSDIRECTOR PRIOR TO 3.8.4 READ THESE BULLETS:

  • RICOH ProcessDirector versions prior to 3.8.4 use log4j version 1.x, which predates the security vulnerability. Log4j version 1.x packages are neither updated nor removed in these mitigation procedures.
  • If your security processes require you to update all software to the most recent levels of log4j and you are running a version of RICOH ProcessDirector prior to version 3.8.4, you must first upgrade to RICOH ProcessDirector 3.10, then apply one of the patches provided.
  • If you have ever installed a ProductUpdate feature (such as to resolve a support ticket), some of the log4j files on your system might have been updated to log4j 2.x. Follow the procedure below the pink box to determine which parts of your system need to be updated and the actions required.

    Important:
  • April 19, 2022, 5:00 PM EDT
    • A permanent solution for updating Ricoh PDF Printers to log4j version 2.17.1 is now available. To get this update, contact Software Support and request the Ricoh PDF Printer feature, version 1.0.0.0.226574 or higher.
    • Updates to address the log4j vulnerability in IBM DB2 are available. Contact Software Support for an update package.
    • With this update, all RICOH ProcessDirector components have solutions to update log4j to version 2.17.1. This is the final update that the RICOH ProcessDirector team will provide on this page.
  • January 6, 2022, 4:00 PM EST
    • After following the instructions below to update RICOH ProcessDirector, JDNI lookup is disabled. As a result, following these procedures mitigates the vulnerability identified in CVE-2021-44832.
  • January 3, 2022, 7:00 PM EST
    • Updated with additional steps for updating RICOH PDF printers.
    • The RICOH ProcessDirector team is aware of CVE-2021-44832, published on December 28, 2021. The team is investigating whether this medium severity vulnerability affects RICOH ProcessDirector.
  • December 22, 2021, 6:30 PM EST
    • Steps to update the RICOH Transform Features have been added.
  • December 21, 2021, 7:00 PM EST
    • The log4j fixes provided on December 17th and 20th updated most of the log4j files in your RICOH ProcessDirector directory trees to version 2.16.0. We recommend following the instructions below to upgrade those files to log4j 2.17.0.

      At a later time, we will provide feature updates that contain these updates, but use these instructions to update log4j to version 2.17 now.

    • If you install additional features after applying this fix you might need to follow these instructions again.
    • IBM DB2 uses version log4j version 1.x, which is not affected by these security vulnerabilities. You do not need to update these files.
  • December 21, 2021, 1:30 PM EST
    • Instructions for the official fix posted on December 20th were removed from the website for revision.
    • Follow instructions for the temporary fix until further updates are posted.
  • December 20, 2021, 5:00 PM EST
    • Over the weekend, an additional security vulnerability related to log4j (CVE-2021-45105) was opened which necessitated the release of log4j version 2.17. RICOH ProcessDirector is not vulnerable to this high priority issue because it does not use context (ctx) lookups in its logging patterns. In addition, JNDI is disabled in log4j version 2.16 by default. RICOH ProcessDirector does not enable it.

      We plan to upgrade to log4j version 2.17 or later in the upcoming RICOH ProcessDirector version 3.10.1 release, per our established process for resolving high-, meduim-, and low-severity security vulnerabilities.

    • The procedures below have been updated to address incorrect path statements in some steps and to improve readability.
  • December 17, 2021, 11:30 PM EST:
    • An affected version of log4j was introduced in RICOH ProcessDirector in version 3.8.4 and is present in all versions through 3.10.0. The component was also included in ProductUpdate package 3.4.205086 and higher. Follow the instructions below to check your product version, download an update package, and install the update.

      In addition, an affected version of log4j was included in the RicohPDFPrinter feature package, version 1.0.0.0.212710 and later.

    • The instructions below provide two options: a temporary fix and an official fix. Both options install log4j version 2.16.
    • The RICOH Transform Feature and RICOH PDF Printers also require updates. Instructions for those updates are under development.

To update RICOH ProcessDirector to address these vulnerabilities:

  1. Determine which components of RICOH ProcessDirector you must update.
    These components of RICOH ProcessDirector include affected levels of log4j:
    1. The base product

      Navigate to this directory on your primary computer:

      • AIX or Linux: $AIWDATA/lib
      • Windows: %AIWDATA%\lib
      If you see the file log4j.jar in that directory, you must complete step 4 to update the base product.

    2. RICOH PDF printers

      This component is installed by default and has contained affected versions of log4j for many versions. All customers must follow the instructions in step 5 to update this component.

    3. RICOH ProcessDirector Plug-in for Adobe Acrobat

      If you have installed the PDF Document Support feature and users have installed the Adobe Acrobat plug-in, each user must follow the instructions in step 6 below.

    4. RICOH Transform Features

      RICOH Transform Features for RICOH ProcessDirector version 3.9.2 or higher include an affected version of log4j. Follow the instructions in step 7 below.

      Previous versions of the Transform Features use unaffected versions of log4j and do not need to be updated.

  2. Download the patch that contains log4j.jar version 2.17.0:
    1. Click to download: log4j patch
      MD5 checksum: 02590758d0020507effa40b6a041ad37
    2. Move the patch to a location that you can access from your primary computer.
    3. Verify the checksum for the package matches the value listed above.
      Open a command prompt and run the correct command for the operating system you are working on. Replace File or package name with the name of the file or package to verify.
      • AIX: csum -h MD5 File or package name
      • Linux: md5sum File or package name
      • Windows: certutil -hashfile File or package name MD5

      If the value does not match, do not install the package. Delete the package and download again.

  3. Back up your system before you make any changes.
  4. Install the log4j fix for the base product:
      Note:
    • This process only instructs you to update log4j version 2.x files, not version 1.x files.
    • For RICOH ProcessDirector versions lower than 3.8.4: Do not replace any log4j-1.x*. files. If you need to migrate from log4j1.x to log4j 2.17, you must upgrade to RICOH ProcessDirector version 3.10.
    • For RICOH ProcessDirector versions 3.8.4 and higher: If you find any log4j-1.x files on the system, they are not used and should be safe to remove. RICOH ProcessDirector 3.8.4 and higher only uses log4j 2.x files.
    1. To install on Linux or AIX:
      1. Log in as the RICOH ProcessDirector system user (default is aiw1).
      2. Navigate to $AIWDATA
      3. Run this command: find . | grep log4j.jar|grep -v ant-apache-log4j.jar
          Note:
        • ant-apache-log4j.jar is not the same as log4j.jar. The command excludes the ant-apache-log4j.jar files from the results because that file does not need to be updated.
      4. Replace all instances of log4j.jar in the $AIWDATA directory tree with the version that you downloaded.
      5. Navigate to $AIWPATH.
      6. Run this command: find . | grep log4j.jar|grep -v ant-apache-log4j.jar
          Note:
        • ant-apache-log4j.jar is not the same as log4j.jar. The command excludes the ant-apache-log4j.jar files from the results because that file does not need to be updated.
      7. Replace all instances of log4j.jar in the $AIWPATH directory tree with the version that you downloaded.
      8. Run this command to restart RICOH ProcessDirector: stopaiw && startaiw
    2. To install on Windows:
      1. Log in as the user who installed RICOH ProcessDirector.
      2. Stop the RICOH ProcessDirector service.
      3. Open file explorer and navigate to: %AIWDATA%
      4. Search for all instances of the log4j.jar.
          Note:
        • ant-apache-log4j.jar is not the same as log4j.jar. Do not update ant-apache-log4j.jar from your list.
      5. Replace all instances of log4j.jar under the %AIWDATA% directory with the version that you downloaded.
      6. Navigate to: %AIWPATH%
      7. Search for all instances of the log4j.jar.
          Note:
        • ant-apache-log4j.jar is not the same as log4j.jar. Do not update ant-apache-log4j.jar from your list.
      8. Replace all instances of log4j.jar under the %AIWPATH% directory with the version that you downloaded.
      9. Restart the Windows system.
  5. Install the fix for the RICOH PDF printers:
      Note:
    • The procedures for Windows primary and application servers refer to the 7-Zip program for manipulating ZIP and other types of compressed files. If you do not have or cannot install 7-Zip, you can use another utility that lets you delete files from an archive. Adapt the instructions for the utility you use.
    1. On the Linux primary server:
      1. Log in as the RICOH ProcessDirector user (default is aiw1).
      2. Open a command line and type:
        cd $AIWDATA/pc/ws/webapps/printing/WEB-INF/lib/
        ls log4j-core*
      3. Make note of the full name of the log4j-core . For example, the file name might be log4j-core-2.14.0.jar.
      4. Type this command, replacing JAR_file_name with the full name of the log4j-core :

        zip -q -d JAR_file_name org/apache/logging/log4j/core/lookup/JndiLookup.class

        For example, if the file name is log4j-core-2.14.0.jar, enter this command:

        zip -q -d log4j-core-2.14.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

      5. To verify that the command above removed the JndiLookup class from the log4j package, run this command:

        unzip -l JAR_file_name | grep JndiLookup

        The command returns no results when the step above worked properly.

      6. Delete the file sdi.jar. Enter these commands:

        cd $AIWDATA/pc/bin/depends/lib
        rm sdi.jar

      7. Restart RICOH ProcessDirector. Run this command:

        stopaiw && startaiw

    2. On the Linux secondary server:
      1. Log in as the RICOH ProcessDirector user (default is aiw1).
      2. Check to see whether this directory exists on the system: $AIWPATH/pc/ws/webapps/printing/WEB-INF/lib/

        If it exists, continue with the next step. If it does not exist, you do not have to make any changes on the Secondary server. Continue to step 5.

      3. Open a command line and type:
        cd $AIWPATH/pc/ws/webapps/printing/WEB-INF/lib/
        ls log4j-core*
      4. Make note of the full name of the log4j-core . For example, the file name might be log4j-core-2.14.0.jar.
      5. Type this command, replacing JAR_file_name with the full name of the log4j-core :

        zip -q -d JAR_file_name org/apache/logging/log4j/core/lookup/JndiLookup.class

        For example, if the file name is log4j-core-2.14.0.jar, enter this command:

        zip -q -d log4j-core-2.14.0.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

      6. To verify that the command above removed the JndiLookup class from the log4j package, run this command:
        unzip -l JAR_file_name | grep JndiLookup

        The command returns no results when the step above worked properly.

      7. Delete the file sdi.jar. Enter these commands:

        cd $AIWPATH/pc/bin/depends/lib
        rm sdi.jar

      8. Restart RICOH ProcessDirector. Run this command:
        stopaiw && startaiw
    3. On the Windows primary server:
      1. In File Explorer, open %AIWDATA%\pc\ws\webapps\printing\WEB-INF\lib.

        AIWDATA is usually a path likeC:\aiw\aiw1

      2. Right click the log4j-core*. and select 7-ZipOpen Archive.
      3. In 7-ZIP, open: org/apache/logging/log4j/core/lookup
      4. Find and delete: JndiLookup.class
      5. Return to File Explorer and open: %AIWDATA%\pc\bin\depends\lib
      6. Find sdi.jar and delete it.
      7. Restart the RICOH ProcessDirector service.
    4. On a Windows Application server:
      1. In File Explorer, see whether this directory exists: %AIWPATH%\pc\ws\webapps\printing\WEB-INF\lib.

        AIWPATH is usually a path like C:\Program Files\Ricoh\ProcessDirector

        If it exists, continue with the next step. If it does not exist, you do not have to make any changes on the Application server. Continue to step 5.

      2. Right click the log4j-core*. and select 7-ZipOpen Archive.
      3. In 7-ZIP, open: org/apache/logging/log4j/core/lookup
      4. Find and delete: JndiLookup.class
      5. Return to File Explorer and open: %AIWPATH%\pc\bin\depends\lib
      6. Find sdi.jar and delete it.
      7. Restart the RICOH ProcessDirector service.
  6. Instruct all users who have the RICOH ProcessDirector Plug-in for Adobe Acrobat installed on their systems to complete these steps. Provide these steps and the updated log4j.jar file to those users.
    1. Log on to the system where the RICOH ProcessDirector Plug-in for Adobe Acrobat is installed.
    2. Shut down Adobe Acrobat.
    3. Restart your Windows system to ensure all processes are stopped.
    4. Open file explorer and navigate to Adobe Acrobat Plugin install directory\plug_ins\InfoPrintPlugin\lib.
      For example, open: C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\plug_ins\InfoPrintPlugin\lib
    5. Replace the existing log4j.jar with the version that you downloaded.
  7. If you have the RICOH Transform features installed, update them to use log4j version 2.17.
    1. Click to download the correct update package:
      • AIX

        log4j patch for Transform Features on AIX

          Note:
        • After you download this file, the file name should be: tf_patch_log4j_aix.tar.gz However, if you download the file using the Chrome browser, the final suffix (.gz) might be stripped off. Rename the file to tf_patch_log4j_aix.tar.gz before you proceed.

        MD5 checksum: 95cb3a6677e4eb574d03b9bed5f62d4f

      • Linux

        log4j patch for Transform Features on Linux

          Note:
        • After you download this file, the file name should be: tf_patch_log4j_linux.tar.gz However, if you download the file using the Chrome browser, the final suffix (.gz) might be stripped off. Rename the file to tf_patch_log4j_linux.tar.gz before you proceed.

        MD5 checksum: fc8a71a2287fcc90360b20776b0fe31a

      • Windows

        log4j patch for Transform Features on Windows

        MD5 checksum: 3ef4e02c45b8e456c23648cdc02bd685

    2. Move the patch to an empty directory in a location that you can access from your primary computer.
    3. Verify the checksum for the package matches the value listed above.
      Open a command prompt and run the correct command for the operating system you are working on. Replace File or package name with the name of the file or package to verify.
      • AIX: csum -h MD5 File or package name
      • Linux: md5sum File or package name
      • Windows: certutil -hashfile File or package name MD5

      If the value does not match, do not install the package. Delete the package and download again.

    4. Install the update on AIX:
      1. Log in to your system as the root user.
      2. Navigate to the package you downloaded. Run these commands to unpack the package:
        • gzip -d tf_patch_log4j_aix.tar.gz
        • tar -xf tf_patch_log4j_aix.tar
      3. Run the ./patch_aix.sh script file.
      4. To verify that the patch was correctly applied:
        • Run the command: find /opt/infoprint/itm -name "log4j-*"
        • You should see only the log4j libraries with version 2.17.0
    5. Install the update on Linux:
      1. Log in to your system as the root user.
      2. Navigate to the package you downloaded. Run these commands to unpack the package:
        • gzip -d tf_patch_log4j_linux.tar.gz
        • tar -xf tf_patch_log4j_linux.tar
      3. Run the ./patch_linux.sh script file.
      4. To verify that the patch was correctly applied:
        • Run the command: find /opt/infoprint/itm -name "log4j-*"
        • You should see only the log4j libraries with version 2.17.0
    6. Install the update on Windows:
      1. Log in as a user who is a member of the Administrator security group.
      2. Navigate to the package you downloaded and unpack the packages.
      3. Run the patch_windows.cmd script file.
      4. To verify that the patch was correctly applied:

        • Open a command prompt and change the current drive to the drive where Transform Features are installed. The default installation path for the Transform Features is: C:\Program Files\InfoPrint\InfoPrint Transform Features
        • Run the command: dir /s "log4j-*.jar"
        • You should see only log4j libraries with version 2.17.0