Search
K

Investigation of Log4j Vulnerability with Illumina LIMS

On December 10, 2021, Illumina was made aware of vulnerabilities in the Apache Log4j software suite. This software component is a Java-based logging utility and part of the Apache Logging Services Foundation products. Illumina uses this software as part of certain components of the Illumina LIMS product.
Issues addressed: CVE-2021-44228 CVSS 10.0 Critical (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVE-2021-45046 CVSS 9.0 Critical (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) CVE-2021-44832 CVSS 3.1 Medium (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) For both products, reference https://logging.apache.org/log4j/2.x/security.html
Illumina takes Data Privacy and Security issues very seriously, and we hope this information helps alleviate any concerns about this vulnerability. If you have any questions, contact [email protected].
Steps required to remedy Log4j vulnerability on Illumina LIMS servers
  1. 1.
    Log into Illumina LIMS server - either directly or with Windows Remote Desktop.
  2. 2.
    Search for Monitor Tomcat in the Windows start menu, and launch it.
    Investigation_Log4j_Vulnerability_Illumina_LIMS_1.jpg
  3. 3.
    Navigate to the Java tab, and perform the following:
  • Add the line to the Java Options: -Dlog4j2.formatMsgNoLookups=True
  • Select Apply.
  • Select OK.
Investigation_Log4j_Vulnerability_Illumina_LIMS_2.jpg
  1. 4.
    Alternatively, the fix can be applied via the system environmental variables.
  • Use Windows Search to find Edit the system environment variables.
  • Select the **Environment Variables...**button.
  • Select New below the list of System variables.
  • In the New System Variable window, enter in Variable name:
    • log4j2.formatMsgNoLookup with the Variable Value: true
  • See section highlighted in the following screenshot:
Investigation_Log4j_Vulnerability_Illumina_LIMS_3.jpg
  • Select OK.
  1. 5.
    Restart Tomcat Service:
  • Navigate to Services using the Start menu.
  • Select IlluminaLIMS_Tomcat9.
  • Select Stop the service in the left column.
  • Select Start the service.
Investigation_Log4j_Vulnerability_Illumina_LIMS_4.jpg
  1. 6.
    Log out of the LIMS server.
  2. 7.
    Notify Illumina Tech Support. For tracking and management purposes, email techsuppo[email protected] to inform Tech Support that the fix is in place.
\
For any feedback or questions regarding this article (Illumina Knowledge Article #6336), contact Illumina Technical Support [email protected].
© 2023 Illumina, Inc. All rights reserved. All trademarks are the property of Illumina, Inc. or their respective owners. For specific trademark information, please visit illumina.com/company/legal.html