Investigation of Log4j Vulnerability with Illumina instruments
On December 10, 2021, Illumina was made aware of a vulnerability in the Apache Log4j software suite (CVE-2021-44228, CVE-2021-45046, and CVE-2021-44832). This software component is a Java-based logging utility and part of the Apache Logging Services Foundation products.
After Illumina became aware of the issue, we launched an investigation to identify potentially affected products and assess risk and have the following update:
The scope of products currently evaluated:
iSeq 100
MiSeq
NextSeq 500/55
NextSeq 1000/2000
NovaSeq 6000
HiSeq 1500/2500
HiSeq 3000/4000
HiSeq X
iScan
Status of evaluation:
For all models other than HiSeq series: the base shipping configuration is not affected.
For all HiSeq series models: the base shipping configuration is mitigated.
For all models: certain software installations and configurations may introduce affected components.
Known Affected Components:
Illumina Local Run Manager (LRM)
This optional software module ships with an optional subcomponent, the Genome Analysis Tool Kit (GATK, MIT**),** which contains an affected version of log4j v.1.x.
This component is not accessible remotely, requires authenticated console access, and requires a measurable amount of preparation to execute a successful attack.
This module is currently risk assessed as mitigated. CVSS 3.1 scale Base score: 6.1 Medium, Temporal and Environmental scores 5.4 Medium CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:U/RL:W/RC:C
All HiSeq models:
All HiSeq models ship with the Broadcom LSI MegaRAID Storage Manager Suite installed. This software contains an affected version of log4j v.1.x. The default shipping configuration of the HiSeq unit blocks remote access to this component, which requires authenticated console access, and requires a measurable amount of preparation to execute a successful attack.
Note: If the device firewall settings have been disabled or modified, remote access to this software component on TCP:80 (HTTP) is possible. Customers are advised to confirm that any system modifications have not disabled the default firewall settings.
This module is currently risk assessed as mitigated. CVSS 3.1 scale Base score: 6.1 Medium, Temporal and Environmental scores 5.4 Medium CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:U/RL:W/RC:C
Illumina takes data privacy and security issues very seriously, and we hope this information helps alleviate any concerns about this vulnerability. If you have any questions, email techsupport@illumina.com.
For any feedback or questions regarding this article (Illumina Knowledge Article #6291), contact Illumina Technical Support techsupport@illumina.com.
Last updated