Summary

Some OpenLab products contain version 2.8.2 of the Apache Log4j utility which has been found to contain a critical security vulnerability. This is documented in the United States National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Products Affected:

  • OpenLab CDS client/server versions 2.2 to 2.6
  • OpenLab CDS Workstation Plus versions 2.2 to 2.6
  • OpenLab CDS VL Workstation Plus versions 2.2 to 2.6
  • OpenLab Server versions 2.2 to 2.6
  • OpenLab ECM XT versions 2.2 to 2.6
  • OpenLab ChemStation Secure Workstation versions C.01.08 to C.01.10

Products Not Affected:

  • OpenLab ChemStation workstation without secure storage
  • OpenLab ChemStation network systems with OpenLab ECM 3.x storage
  • OpenLab CDS systems with OpenLab ECM 3.x storage
  • OpenLab CDS Workstation (file based)
  • OpenLab CDS VL Workstation (file based)
  • OpenLab EZChrom
  • OpenLab ECM 3.x
  • OpenLab ELN

Also not affected are other software products that are clients of affected OpenLab Server and ECM XT products. For these products, no changes are required on the client-side and updates on the server-side are fully supported with these applications:

  • MassHunter Networked Workstation for LC-TOF/QTOF 11.0
  • MassHunter BioConfirm Networked Workstation 11.0
  • ICP-MS MassHunter 4.x or 5.x
  • Cary UV Networked WorkStation

Fix Information:

Agilent released software updates with the new version of Apache Log4j released by the Apache Software Foundation. Links are posted below.

OpenLab CDS

Version

Fix Update

2.6

OpenLab CDS 2.6 Update 05 or higher

2.5

OpenLab CDS 2.5 Update 09 or higher

2.4

OpenLab Content Management Security Update 01 for CDS 2.3 - 2.4*

2.3

OpenLab Content Management Security Update 01 for CDS 2.3 - 2.4*

2.2

Not planned. This version is out of support. Users are advised to upgrade.

* Important Note: Security Updates must only be installed for the version and update level specified. See the required prerequisites in the Readme file. 

OpenLab Server / OpenLab ECM XT

Version

Fix Update

2.6

OpenLab ECM XT 2.6 Update 03 or higher

2.5

OpenLab ECM XT 2.5 Update 04 or higher

2.4

OpenLab Content Management Security Update 01 for ECM XT 2.3 - 2.4*

2.3

OpenLab Content Management Security Update 01 for ECM XT 2.3 - 2.4*

2.2

Not planned. This version is out of support. Users are advised to upgrade.

* Important Note: Security Updates must only be installed for the version and update level specified. See the required prerequisites in the Readme file. 

OpenLab ChemStation Secure Workstation

Version

Fix Update

C.01.10

Content Management Security Update 01 for ChemStation C.01.10*

C.01.09

Content Management Security Update 01 for ChemStation C.01.09*

C.01.08

Not planned. This version is out of support. Users are advised to upgrade.

* Important Note: Security Updates must only be installed for the version and update level specified. See the required prerequisites in the Readme file. 

Change Log

20Dec2021 10:06 PST: Initial version

20Dec2021 10:22 PST: Added section for other software products not affected that connect to OpenLab Server/ECM XT

20Dec2021 15:30 PST: Added ICPMS MassHunter and Bioconfirm as not affected products that connect to OpenLab Server/ECM XT

21Dec2021 06:58 PST: Added Cary UV Networked WorkStation as not affected product that connects to OpenLab Server/ECM XT

21Dec2021 19:04 PST: Added MassHunter products LC/TQ 10.1, Ultivo LC/TQ 1.2, GC/MS 10.1 as not affected products that connect to OpenLab Server/ECM XT

23Dec2021 11:34 PST: Updated the status of the fix updates.

05Jan2022 15:55 PST: Added links to the released updates for OpenLab CDS and ECM XT.

06Jan2022 10:04 PST: Removed mention of MassHunter products not affected that do not operate as clients for OpenLab Server or ECM XT. A separate article for MassHunter will be published. 

10Jan2022 06:43 PST: Removed the instructions for the temporary workaround from the Apache Foundation as fixes are now available.

10Jan2022 15:17 PST: Added Important Note for the security updates for users to check they have the required prerequisite update already installed.

11Jan2022 11:55 PST: Fixed links for the 2.3, 2.4, and 2.6 fixes (they were all going to the 2.5 folder).

13Jan2022 11:52 PST: Added links for the OpenLab ChemStation fixes. Removed note about clicking + as the readme file link is no longer hidden.

25Jan2022 15:17 PST: Updated the OpenLab CDS and ECM XT version 2.5 links to the newest cumulative updates.

04Feb2022 15:38 PST: Updated name of updates for 2.3 and 2.4 that now have updated readme documents.

15Feb2022 18:54 PST: Updated the OpenLab CDS and ECM XT version 2.6 links to the newest cumulative updates.

29Sep2022 16:47 PDT: Added "or higher" where there are newer updates also containing the fix.

Anonymous