RXOP

Hello,

In order to resolve log4j vulnerability, we upgraded RXOP version to the latest 3.8.7 for our installation application.  We are able to compile and run the application successfully BUT when we try to get the cvm version, it throws the following error:

Exception: ricoh.rxop.rxcommon.RxopException: org/apache/commons/codec/binary/Base64

We tested on device model RICOHMP C306Z.

Following is the code where it throws an error: I see the device IP address in the log but after that i see an error. (m_deviceObject is the RicohJavaDevice object). I have attached RXOP log (OmtoolRXOPClient.log)

try
        {

       String sDeviceName = "", sDescription = "";
        String sCVMVersion = "", sIsAndroidDevice = "false";

            LogManager.LogEntry("Device IP retrieved: " + m_deviceObject.getIP());
            sCVMVersion = m_deviceObject.getCVMversion();
            LogManager.LogEntry("CVM Version: " +   sCVMVersion);

            sDeviceName = GetDeviceName();
             
             sIsAndroidDevice = VerifyAndroidDevice();
             
             sDescription = GetListOfAppInstalled();
            
            LogManager.LogEntry("Device Name: " + sDeviceName);
        }
        catch(RxopException e)
        {
            SetError("Query Exception: " + e.toString());            
        }

I have attached the following:

1) Device model: RICOHMP C306Z firmware update

2) OmtoolRXOPClient-1.txt (RXOP Log)

3) Device log:  MachineInfo_G445P801261_20220120_113959.tar

Please let me know if you need any more information.

Regards

Niranjini

Hi,

I use RXOP 3.8.7 to call ricohConfigurator.getDateTimeSettings() to get date/time information but get error null.

The issue occurs in almost devices we have.

Please help.

Thanks.

Best Regards,

Hi,

When use RXOP to set Service Program on SP C842DN, SP 8400 DN devices.

These Service Program cannot to be set:

• ServiceProgram.ACCESS_CONTROL__SDK_CERTIFICATION_DEVICE
• ServiceProgram.USER_AUTHENTICATION__PRINTER
• ServiceProgram.ADMINISTRATOR_AUTHENTICATION_MANAGEMENT__USER_ADMINISTRATOR_AUTHENTICATION_SETTING
• ServiceProgram.USER_AUTHENTICATION_MANAGEMENT
• ServiceProgram.PRINTER_JOB_AUTHENTICATION_LEVEL
• ServiceProgram.TRACK_PERMISSION
• ServiceProgram.STOP_PRINT_SETTING
• ServiceProgram.MACHINE_ACTION_WHEN_LIMIT_REACHED
• ServiceProgram.DEFAULT_USER_PERMISSION

We wonder whether these Service Program is supported or not. How can us know what Service Program is not supported? By return code or else?

Please advise.

Thank you very much.

Hi Ricoh Support,

Currently, our customers report for this vulnerability related to log4j 1.x: 

 https://nvd.nist.gov/vuln/detail/CVE-2019-17571 

RXOP version before 3.8.6 is using log4j 1.x.

Could you please confirm whether or not RXOP is using SocketServer from log4j 1.x?

Thank you,

Hello,

I am getting asked by management, who I think is getting asked by various customers, what is Ricoh's official response to the Log4j security vulnerability recently found?

From what I can tell, Log4j is required to be distributed with our deployment solution because we use the RXOP library.

Does Ricoh have any timeframe when Log4j will be updated to a fix that doesn't include this vulnerability?

Also, for customer's who are currently stuck on an older Log4j version because of RXOP, what is Ricoh's official statement to customers? The customer asks us for an answer and it would be good for us if we can answer in the same manner as Ricoh since it is distributed with RXOP.

I checked here first:

https://www.ricoh.com/info/2021/1215_1/

I didn't see anything here mentioning the RXOP or similar.

Regards
Bryan

[Created from Request document that explain details about User and Administrator settings | Ricoh Developer Program (RiDP) (ricoh-ridp.com)]

Hi,

Thank you for your support.

When I add these Service Program to get, set sp mode on IM 600 device:

SP_LIST_SOP.add(ServiceProgram.OPTIONAL_COUNTER_TYPE__DEFAULT_OPTIONAL_COUNTER_TYPE);
        SP_LIST_SOP.add(ServiceProgram.OPTIONAL_COUNTER_TYPE__EXTERNAL_OPTIONAL_COUNTER_TYPE);

such as: 

List<SPValue> spData = spManager.getSPData(this.acl, SP_LIST_SOP)

I received this error:

Unexpected HTTP status: 403, detail :ResponseEntityProxy{[Content-Type: text/html;charset=ISO-8859-1,Content-Length: 1445,Chunked: false]}

I think current acl have not right to get above these Service program setting. If so, please give new acl.

Thanks.

Best Regards,

Hi,

I use the information from this incident

https://ricoh-ridp.com/ridp/support-system/incident/ricoh-sdc-canada/1636039344/1396866899/4293

to register new usb card reader by RXOP.

Please help to review this snippet:

PID = 21544;

VID = 1899;

CardReaderSetting cardReaderSettings = ricohConfigurator.getCardReaderSetting();
cardReaderSettings.setREADER_USED("USB");
USBCardReaderSetting usbCardReaderSettings = cardReaderSettings.getUsbSetting();
usbCardReaderSettings.setUSB_PRODUCT_ID(PID);
usbCardReaderSettings.setUSB_VENDOR_ID(VID);
usbCardReaderSettings.setUSB_READER_NAME("USB Card Reader");
usbCardReaderSettings.setUSB_CLASS("KSR");
usbCardReaderSettings.setUSB_PLUGIN("jp.co.ricoh.advop.cisplugin.keystroke");
usbCardReaderSettings.setUSB_AUTH(true);

ricohConfigurator.SetCardReaderSetting(cardReaderSettings);

• Is this right?
• These information can apply for all USB card readers (every PID, VID)?
• If not
  • what values can apply for USB_CLASS parameter? please list detail.
  • what values can apply for USB_PLUGIN parameter? please list detail.
• If we would like to delete registered USB card reader, we set all above parameters is null?
• Can register only one USB or many? If many then how?
• Need to reboot device after run ricohConfigurator.SetCardReaderSetting(cardReaderSettings);?

Thank you for your help.

Best Regards,

Hello,

what is the update on log4j library Vulnerability: CVE-2021-4104 Detail as explained in the following link:

https://nvd.nist.gov/vuln/detail/CVE-2021-4104

I did not see any information regarding this vulnerability in the Ricoh webiste Alerts and Security Vulnerabilities Announcements.

Regards

Niranjini

Hi,

In this incident https://ricoh-ridp.com/ridp/support-system/incident/ricoh-sdc-canada/1639507663/605558151/4381

We requested update RXOP because of log4j-core-2.14.1.jar Vulnerability and it moved to FAQ tracking this CVE impact: What is the impact of the Log4j exploit captured as CVE-2021-44228? | Ricoh Developer Program (RiDP) (ricoh-ridp.com)

When you update RXOP library please update this library to the latest as well:

gson-2.3.1.jar - High Severity Vulnerabilities - WS-2021-0419 | WhiteSource Vulnerability Database (whitesourcesoftware.com)

Hi Ricoh Support,

Currently, our customers report for this vulnerability related to log4j 1.x: https://access.redhat.com/security/cve/CVE-2021-4104

RXOP version before 3.8.6 is using log4j 1.x.

Could you please confirm whether or not RXOP is using JMSAppender from log4j 1.x?

Thank you,