Investigation of Log4j Vulnerability with Illumina instruments

On December 10, 2021, Illumina was made aware of a vulnerability in the Apache Log4j software suite (CVE-2021-44228, CVE-2021-45046, and CVE-2021-44832). This software component is a Java-based logging utility and part of the Apache Logging Services Foundation products.

After Illumina became aware of the issue, we launched an investigation to identify potentially affected products and assess risk and have the following update:

The scope of products currently evaluated:

  • iSeq 100

  • MiSeq

  • NextSeq 500/55

  • NextSeq 1000/2000

  • NovaSeq 6000

  • HiSeq 1500/2500

  • HiSeq 3000/4000

  • HiSeq X

  • iScan

Status of evaluation:

  • For all models other than HiSeq series: the base shipping configuration is not affected.

  • For all HiSeq series models: the base shipping configuration is mitigated.

  • For all models: certain software installations and configurations may introduce affected components.

Known Affected Components:

  • Illumina Local Run Manager (LRM)

    • This optional software module ships with an optional subcomponent, the Genome Analysis Tool Kit (GATK, MIT**),** which contains an affected version of log4j v.1.x.

    • This component is not accessible remotely, requires authenticated console access, and requires a measurable amount of preparation to execute a successful attack.

    • This module is currently risk assessed as mitigated. CVSS 3.1 scale Base score: 6.1 Medium, Temporal and Environmental scores 5.4 Medium CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:U/RL:W/RC:C

  • All HiSeq models:

    • All HiSeq models ship with the Broadcom LSI MegaRAID Storage Manager Suite installed. This software contains an affected version of log4j v.1.x. The default shipping configuration of the HiSeq unit blocks remote access to this component, which requires authenticated console access, and requires a measurable amount of preparation to execute a successful attack.

    • Note: If the device firewall settings have been disabled or modified, remote access to this software component on TCP:80 (HTTP) is possible. Customers are advised to confirm that any system modifications have not disabled the default firewall settings.

    • This module is currently risk assessed as mitigated. CVSS 3.1 scale Base score: 6.1 Medium, Temporal and Environmental scores 5.4 Medium CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:U/RL:W/RC:C

Illumina takes data privacy and security issues very seriously, and we hope this information helps alleviate any concerns about this vulnerability. If you have any questions, email techsupport@illumina.com.

For any feedback or questions regarding this article (Illumina Knowledge Article #6291), contact Illumina Technical Support techsupport@illumina.com.

Last updated

© 2023 Illumina, Inc. All rights reserved. All trademarks are the property of Illumina, Inc. or their respective owners. Trademark information: illumina.com/company/legal.html. Privacy policy: illumina.com/company/legal/privacy.html