Investigation of Log4j Vulnerability with Illumina LIMS

On December 10, 2021, Illumina was made aware of vulnerabilities in the Apache Log4j software suite. This software component is a Java-based logging utility and part of the Apache Logging Services Foundation products. Illumina uses this software as part of certain components of the Illumina LIMS product.

Issues addressed: CVE-2021-44228 CVSS 10.0 Critical (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVE-2021-45046 CVSS 9.0 Critical (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) CVE-2021-44832 CVSS 3.1 Medium (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) For both products, reference https://logging.apache.org/log4j/2.x/security.html

Illumina takes Data Privacy and Security issues very seriously, and we hope this information helps alleviate any concerns about this vulnerability. If you have any questions, contact techsupport@illumina.com.

Steps required to remedy Log4j vulnerability on Illumina LIMS servers

1. Log into Illumina LIMS server - either directly or with Windows Remote Desktop.

3. Navigate to the Java tab, and perform the following: * Add the line to the Java Options: -Dlog4j2.formatMsgNoLookups=True

• Select Apply.

• Select OK.

4. Alternatively, the fix can be applied via the system environmental variables.

• Use Windows Search to find Edit the system environment variables.

• Select the **Environment Variables...**button.

• Select New below the list of System variables.

• In the New System Variable window, enter in Variable name:

  • log4j2.formatMsgNoLookup with the Variable Value: ‘true’

• See section highlighted in the following screenshot:
• Select OK.

5. Restart Tomcat Service:

• Navigate to Services using the Start menu.

• Select IlluminaLIMS_Tomcat9.

• Select Stop the service in the left column.

• Select Start the service.

6. Log out of the LIMS server.

7. Notify Illumina Tech Support. For tracking and management purposes, email techsupport@illumina.com to inform Tech Support that the fix is in place.