Summary

Some Molecular Spectroscopy products contain version 2.8.2 of the Apache Log4j utility which has been found to contain a critical security vulnerability. This is documented in the United States National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Products Not Affected:

  • Cary WinFLR for the Cary Eclipse spectrophotometer
  • Cary WinUV v5.X (inc. SCM/SDA) for the Cary 60 UV-Vis spectrophotometer
  • Cary WinUV v6.X for the Cary 4/5/6/7000 UV-Vis and UV-Vis-NIR spectrophotometer
  • Cary WinUV v4.X (inc. SCM/SDA) for the Cary 100/300 UV-Vis spectrophotometer
  • UV-Vis ChemStation software for the 845X UV-Vis spectrophotometer
  • MicroLab v5.X software for the Cary 630 and handheld FTIR spectrometers
  • MicroLab Expert v1.X
  • Resolutions Pro FTIR v5.x software for the Cary 600 series FTIR spectrometers and microscopes
  • Clarity v1.x for the 8700 LDIR Imaging System
  • Cary UV Workstation v1.0, 1.1, and 1.2 without Content Management for the Cary 3500 UV-Vis spectrophotometer
  • Agilent RapID Raman, all versions of the RapID software
  • Agilent Vaya Raman, all versions of the Vaya software
  • Agilent Resolve v1.X and Command v1.X
  • Agilent Insight v.3.X and Overview v.2.X

Products Affected:

  • Cary UV Workstation Plus v1.1 and v1.2 (G5194AA and G5195AA) 

Temporary Solution:

Until a fix is available, the Apache Software Foundation recommends disabling the JndiLookup class of Log4j. See Procedure for Disabling the JndiLookup class of Log4j.

Fix Information:

Agilent is preparing a software patch with the new version of Apache Log4j released by the Apache Software Foundation. The patch will be released and posted to Agilent SubcribeNet. Subscribed users will receive an email notification.

Procedure for Disabling the JndiLookup class of Log4j

Agilent recommends customers immediately disable the JndiLookup class of Log4j as the recommended mitigation from the Apache Software Foundation (source: https://logging.apache.org/log4j/2.x/security.html).

The following procedure has been verified in the Agilent software test lab:

  1. Plan for a brief downtime for the system. Note that this update only requires a restart of the Tomcat web server and not the entire machine.
  2. Backup the file "C:\Program Files (x86)\Agilent Technologies\OpenLAB Data Store\tomcat\webapps\webhorse.war" (or equivalent if installed on a different drive).
  3. On the affected machine, stop the ‘alfrescoTomcat’ service.
  4. Copy the attached zip file to the affected machine and extract the DisableJndiLookup.ps1 and Launcher.bat files to the same location.
  5. Edit 2 lines of DisableJndiLookup.ps1 to the correct path if they are on a different drive:

   

  1. Right-Click on Launcher.bat and select Run As Administrator.

Note: Running the script a second time will produce an error that the component is not found.

“Remove-Item : Cannot find path 'C:\Program Files (x86)\Agilent Technologies\OpenLAB Data Store\tomcat\webapps\webhorse' because it does not exist. …”

  1. Start the ‘alfrescoTomcat’ service. Note the webhorse folder is recreated automatically.

Note that the Software Verification Tool will fail due to the changed webhorse.war file. Also note that if the Cary UV Workstation Plus software is reinstalled, this procedure will need to be repeated.

Cary UV Workstation Plus users should not observe any change in system operation. No functionality is affected by disabling the JndiLookup class. 

Attachment

6558.DisableJndiLookup.zip 

Change Log

21Dec2021: Initial version

Anonymous