Apache Log4j Security Vulnerability in Some OpenLab Products


Some Molecular Spectroscopy products contain version 2.8.2 of the Apache Log4j utility which has been found to contain a critical security vulnerability. This is documented in the United States National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Products Not Affected:

  • Cary WinFLR for the Cary Eclipse spectrophotometer
  • Cary WinUV v5.X (inc. SCM/SDA) for the Cary 60 UV-Vis spectrophotometer
  • Cary WinUV v6.X for the Cary 4/5/6/7000 UV-Vis and UV-Vis-NIR spectrophotometer
  • Cary WinUV v4.X (inc. SCM/SDA) for the Cary 100/300 UV-Vis spectrophotometer
  • UV-Vis ChemStation software for the 845X UV-Vis spectrophotometer
  • MicroLab v5.X software for the Cary 630 and handheld FTIR spectrometers
  • MicroLab Expert v1.X
  • Resolutions Pro FTIR v5.x software for the Cary 600 series FTIR spectrometers and microscopes
  • Clarity v1.x for the 8700 LDIR Imaging System
  • Cary UV Workstation v1.0, 1.1, and 1.2 without Content Management for the Cary 3500 UV-Vis spectrophotometer
  • Agilent RapID Raman, all versions of the RapID software
  • Agilent Vaya Raman, all versions of the Vaya software
  • Agilent Resolve and Command all versions of software
  • Agilent Insight v.3.X and Overview v.2.X
  • Agilent TRS100 Raman, all versions of the TRS100 ContentQC software

Products Affected:

  • Cary UV Workstation Plus v1.1 and v1.2 (G5194AA and G5195AA) 

Fix Information:

Agilent released software updates with the new version of Apache Log4j released by the Apache Software Foundation. Links are posted below.

Cary UV Workstation Plus


Fix Update

Cary UV Workstation Plus 1.1


Cary UV Workstation Plus 1.2


Cary UV Workstation Plus 1.3*


* Please note: the patch may be required when performing a partial reinstall. The Server Patch is included as standard with the installation of Cary UV Workstation Plus 1.3 and should otherwise not be required.

Important Note: Security Updates must only be installed for the version and update level specified. See the required prerequisites in the Cary UV Workstation Plus OpenLab Log4j Patch Installation Guide.

It is sole responsibility of user organizations to perform software qualification and validation in accordance with user’s organizational policies and procedures. The information provided by Agilent in this document is for informational purposes for the user organization to determine the extent of software qualification and validation required.

Change Log

21Dec2021: Initial version

16Feb2022: Update to include Fix Information, removed Temporary Fix details.

Was this helpful?