OTCnet

OLB Release 2.4.0.7 Overview

The U.S. Treasury Bureau of the Fiscal Service (Fiscal Service) Over the Counter Division (OTCD) has updated the Over-the-Counter Channel Application (OTCnet) OTCnet Local Bridge (OLB) to version 2.4.0.7 in January 2022, which addresses critical security vulnerabilities identified in the Apache Log4j logging package used by earlier versions of the OLB.

OLB version 2.4.0.7 is the only OLB available for download to users as it is currently the most secure version. Fiscal Service strongly advises agencies to uninstall previous OLB versions and install OLB 2.4.0.7 and Firmware 4.3.0 to their workstations for optimal protection against security threats.

System Enhancements

OLB version 2.4.0.7 introduces the following security enhancements:

• The Apache Log4j package used by the OLB has been upgraded to Log4j version 2.17.1, which addresses the following Log4j vulnerabilities:
  • CVE-2021-45105
  • CVE-2021-45046
  • CVE-2021-44228
  • CVE-2021-44832
• The Spring Framework components used by the OLB have been upgraded to version 5.3.14, which resolves the following Spring Framework vulnerabilities:
  • CVE-2021-22096*
  • CVE-2021-22118*
  * Due to how the Spring Framework is used in the OLB, these vulnerabilities are mitigated in earlier versions of the OLB.

Additionally, OTCnet Online and OTC Kiosk Application in production and all QA (testing) environments have been upgraded to use Apache Log4j version 2.17.1.