Summary
Some OpenLab products contain version 2.8.2 of the Apache Log4j utility which has been found to contain a critical security vulnerability. This is documented in the United States National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Products Affected:
- OpenLab CDS client/server versions 2.2 to 2.6
- OpenLab CDS Workstation Plus versions 2.2 to 2.6
- OpenLab CDS VL Workstation Plus versions 2.2 to 2.6
- OpenLab Server versions 2.2 to 2.6
- OpenLab ECM XT versions 2.2 to 2.6
- OpenLab ChemStation Secure Workstation versions C.01.08 to C.01.10
Products Not Affected:
- OpenLab ChemStation workstation without secure storage
- OpenLab ChemStation network systems with OpenLab ECM 3.x storage
- OpenLab CDS systems with OpenLab ECM 3.x storage
- OpenLab CDS Workstation (file based)
- OpenLab CDS VL Workstation (file based)
- OpenLab EZChrom
- OpenLab ECM 3.x
- OpenLab ELN
Also not affected are other software products that are clients of affected OpenLab Server and ECM XT products. For these products, no changes are required on the client-side and updates on the server-side are fully supported with these applications:
- MassHunter Networked Workstation for LC-TOF/QTOF 11.0
- MassHunter BioConfirm Networked Workstation 11.0
- ICP-MS MassHunter 4.x or 5.x
- Cary UV Networked WorkStation
Fix Information:
Agilent released software updates with the new version of Apache Log4j released by the Apache Software Foundation. Links are posted below.
OpenLab CDS
Version |
Fix Update |
2.6 |
OpenLab CDS 2.6 Update 05 or higher |
2.5 |
OpenLab CDS 2.5 Update 09 or higher |
2.4 |
OpenLab Content Management Security Update 01 for CDS 2.3 - 2.4* |
2.3 |
OpenLab Content Management Security Update 01 for CDS 2.3 - 2.4* |
2.2 |
Not planned. This version is out of support. Users are advised to upgrade. |
* Important Note: Security Updates must only be installed for the version and update level specified. See the required prerequisites in the Readme file.
OpenLab Server / OpenLab ECM XT
Version |
Fix Update |
2.6 |
OpenLab ECM XT 2.6 Update 03 or higher |
2.5 |
OpenLab ECM XT 2.5 Update 04 or higher |
2.4 |
OpenLab Content Management Security Update 01 for ECM XT 2.3 - 2.4* |
2.3 |
OpenLab Content Management Security Update 01 for ECM XT 2.3 - 2.4* |
2.2 |
Not planned. This version is out of support. Users are advised to upgrade. |
* Important Note: Security Updates must only be installed for the version and update level specified. See the required prerequisites in the Readme file.
OpenLab ChemStation Secure Workstation
Version |
Fix Update |
C.01.10 |
Content Management Security Update 01 for ChemStation C.01.10* |
C.01.09 |
Content Management Security Update 01 for ChemStation C.01.09* |
C.01.08 |
Not planned. This version is out of support. Users are advised to upgrade. |
* Important Note: Security Updates must only be installed for the version and update level specified. See the required prerequisites in the Readme file.
Change Log
20Dec2021 10:06 PST: Initial version
20Dec2021 10:22 PST: Added section for other software products not affected that connect to OpenLab Server/ECM XT
20Dec2021 15:30 PST: Added ICPMS MassHunter and Bioconfirm as not affected products that connect to OpenLab Server/ECM XT
21Dec2021 06:58 PST: Added Cary UV Networked WorkStation as not affected product that connects to OpenLab Server/ECM XT
21Dec2021 19:04 PST: Added MassHunter products LC/TQ 10.1, Ultivo LC/TQ 1.2, GC/MS 10.1 as not affected products that connect to OpenLab Server/ECM XT
23Dec2021 11:34 PST: Updated the status of the fix updates.
05Jan2022 15:55 PST: Added links to the released updates for OpenLab CDS and ECM XT.
06Jan2022 10:04 PST: Removed mention of MassHunter products not affected that do not operate as clients for OpenLab Server or ECM XT. A separate article for MassHunter will be published.
10Jan2022 06:43 PST: Removed the instructions for the temporary workaround from the Apache Foundation as fixes are now available.
10Jan2022 15:17 PST: Added Important Note for the security updates for users to check they have the required prerequisite update already installed.
11Jan2022 11:55 PST: Fixed links for the 2.3, 2.4, and 2.6 fixes (they were all going to the 2.5 folder).
13Jan2022 11:52 PST: Added links for the OpenLab ChemStation fixes. Removed note about clicking + as the readme file link is no longer hidden.
25Jan2022 15:17 PST: Updated the OpenLab CDS and ECM XT version 2.5 links to the newest cumulative updates.
04Feb2022 15:38 PST: Updated name of updates for 2.3 and 2.4 that now have updated readme documents.
15Feb2022 18:54 PST: Updated the OpenLab CDS and ECM XT version 2.6 links to the newest cumulative updates.
29Sep2022 16:47 PDT: Added "or higher" where there are newer updates also containing the fix.