Investigation of Log4j Vulnerability with Illumina LIMS
On December 10, 2021, Illumina was made aware of vulnerabilities in the Apache Log4j software suite. This software component is a Java-based logging utility and part of the Apache Logging Services Foundation products. Illumina uses this software as part of certain components of the Illumina LIMS product.
Issues addressed: CVE-2021-44228 CVSS 10.0 Critical (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVE-2021-45046 CVSS 9.0 Critical (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) CVE-2021-44832 CVSS 3.1 Medium (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) For both products, reference https://logging.apache.org/log4j/2.x/security.html
Illumina takes Data Privacy and Security issues very seriously, and we hope this information helps alleviate any concerns about this vulnerability. If you have any questions, contact [email protected].
Steps required to remedy Log4j vulnerability on Illumina LIMS servers
- 1.Log into Illumina LIMS server - either directly or with Windows Remote Desktop.
- 2.Search for Monitor Tomcat in the Windows start menu, and launch it.
- 3.Navigate to the Java tab, and perform the following:
- Add the line to the Java Options: -Dlog4j2.formatMsgNoLookups=True
- Select Apply.
- Select OK.
- 4.Alternatively, the fix can be applied via the system environmental variables.
- Use Windows Search to find Edit the system environment variables.
- Select the **Environment Variables...**button.
- Select New below the list of System variables.
- In the New System Variable window, enter in Variable name:
- log4j2.formatMsgNoLookup with the Variable Value: true
- See section highlighted in the following screenshot:
- Select OK.
- 5.Restart Tomcat Service:
- Navigate to Services using the Start menu.
- Select IlluminaLIMS_Tomcat9.
- Select Stop the service in the left column.
- Select Start the service.