Apache Log4j Security Vulnerability in Some OpenLab Products

23 Dec 2021

Summary

Some Molecular Spectroscopy products contain version 2.8.2 of the Apache Log4j utility which has been found to contain a critical security vulnerability. This is documented in the United States National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Products Not Affected:

Cary WinFLR for the Cary Eclipse spectrophotometer
Cary WinUV v5.X (inc. SCM/SDA) for the Cary 60 UV-Vis spectrophotometer
Cary WinUV v6.X for the Cary 4/5/6/7000 UV-Vis and UV-Vis-NIR spectrophotometer
Cary WinUV v4.X (inc. SCM/SDA) for the Cary 100/300 UV-Vis spectrophotometer
UV-Vis ChemStation software for the 845X UV-Vis spectrophotometer
MicroLab v5.X software for the Cary 630 and handheld FTIR spectrometers
MicroLab Expert v1.X
Resolutions Pro FTIR v5.x software for the Cary 600 series FTIR spectrometers and microscopes
Clarity v1.x for the 8700 LDIR Imaging System
Cary UV Workstation v1.0, 1.1, and 1.2 without Content Management for the Cary 3500 UV-Vis spectrophotometer
Agilent RapID Raman, all versions of the RapID software
Agilent Vaya Raman, all versions of the Vaya software
Agilent Resolve and Command all versions of software
Agilent Insight v.3.X and Overview v.2.X
Agilent TRS100 Raman, all versions of the TRS100 ContentQC software

Products Affected:

Cary UV Workstation Plus v1.1 and v1.2 (G5194AA and G5195AA)

Fix Information:

Agilent released software updates with the new version of Apache Log4j released by the Apache Software Foundation. Links are posted below.

Cary UV Workstation Plus

Version	Fix Update
Cary UV Workstation Plus 1.1	Server.PatchInstaller-2.4.6-REL_2.4.6.3.zip
Cary UV Workstation Plus 1.2	Server.PatchInstaller-2.5.4-REL_2.5.4.9.zip
Cary UV Workstation Plus 1.3*	Server.PatchInstaller-2.6.2-REL_2.6.2.15.zip

* Please note: the patch may be required when performing a partial reinstall. The Server Patch is included as standard with the installation of Cary UV Workstation Plus 1.3 and should otherwise not be required.

Important Note: Security Updates must only be installed for the version and update level specified. See the required prerequisites in the Cary UV Workstation Plus OpenLab Log4j Patch Installation Guide.

It is sole responsibility of user organizations to perform software qualification and validation in accordance with user’s organizational policies and procedures. The information provided by Agilent in this document is for informational purposes for the user organization to determine the extent of software qualification and validation required.

Change Log

21Dec2021: Initial version

16Feb2022: Update to include Fix Information, removed Temporary Fix details.

Was this helpful?