Summary

Some OpenLab products contain version 2.8.2 of the Apache Log4j utility which has been found to contain a critical security vulnerability. This is documented in the United States National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Products Affected:

• OpenLab CDS client/server versions 2.2 to 2.6
• OpenLab CDS Workstation Plus versions 2.2 to 2.6
• OpenLab CDS VL Workstation Plus versions 2.2 to 2.6
• OpenLab Server versions 2.2 to 2.6
• OpenLab ECM XT versions 2.2 to 2.6
• OpenLab ChemStation Secure Workstation versions C.01.08 to C.01.10

Products Not Affected:

• OpenLab ChemStation workstation without secure storage
• OpenLab ChemStation network systems with OpenLab ECM 3.x storage
• OpenLab CDS systems with OpenLab ECM 3.x storage
• OpenLab CDS Workstation (file based)
• OpenLab CDS VL Workstation (file based)
• OpenLab EZChrom
• OpenLab ECM 3.x
• OpenLab ELN

Also not affected are other software products that are clients of affected OpenLab Server and ECM XT products. For these products, no changes are required on the client-side and updates on the server-side are fully supported with these applications:

• MassHunter Networked Workstation for LC-TOF/QTOF 11.0
• MassHunter BioConfirm Networked Workstation 11.0
• ICP-MS MassHunter 4.x or 5.x
• Cary UV Networked WorkStation

Fix Information:

Agilent released software updates with the new version of Apache Log4j released by the Apache Software Foundation. Links are posted below.

OpenLab CDS

* Important Note: Security Updates must only be installed for the version and update level specified. See the required prerequisites in the Readme file. 

OpenLab Server / OpenLab ECM XT

* Important Note: Security Updates must only be installed for the version and update level specified. See the required prerequisites in the Readme file. 

OpenLab ChemStation Secure Workstation

* Important Note: Security Updates must only be installed for the version and update level specified. See the required prerequisites in the Readme file. 

Change Log

20Dec2021 10:06 PST: Initial version

20Dec2021 10:22 PST: Added section for other software products not affected that connect to OpenLab Server/ECM XT

20Dec2021 15:30 PST: Added ICPMS MassHunter and Bioconfirm as not affected products that connect to OpenLab Server/ECM XT

21Dec2021 06:58 PST: Added Cary UV Networked WorkStation as not affected product that connects to OpenLab Server/ECM XT

21Dec2021 19:04 PST: Added MassHunter products LC/TQ 10.1, Ultivo LC/TQ 1.2, GC/MS 10.1 as not affected products that connect to OpenLab Server/ECM XT

23Dec2021 11:34 PST: Updated the status of the fix updates.

05Jan2022 15:55 PST: Added links to the released updates for OpenLab CDS and ECM XT.

06Jan2022 10:04 PST: Removed mention of MassHunter products not affected that do not operate as clients for OpenLab Server or ECM XT. A separate article for MassHunter will be published. 

10Jan2022 06:43 PST: Removed the instructions for the temporary workaround from the Apache Foundation as fixes are now available.

10Jan2022 15:17 PST: Added Important Note for the security updates for users to check they have the required prerequisite update already installed.

11Jan2022 11:55 PST: Fixed links for the 2.3, 2.4, and 2.6 fixes (they were all going to the 2.5 folder).

13Jan2022 11:52 PST: Added links for the OpenLab ChemStation fixes. Removed note about clicking + as the readme file link is no longer hidden.

25Jan2022 15:17 PST: Updated the OpenLab CDS and ECM XT version 2.5 links to the newest cumulative updates.

04Feb2022 15:38 PST: Updated name of updates for 2.3 and 2.4 that now have updated readme documents.

15Feb2022 18:54 PST: Updated the OpenLab CDS and ECM XT version 2.6 links to the newest cumulative updates.

29Sep2022 16:47 PDT: Added "or higher" where there are newer updates also containing the fix.