Investigation of Log4j Vulnerability with Illumina LIMS
Last updated
Last updated
© 2023 Illumina, Inc. All rights reserved. All trademarks are the property of Illumina, Inc. or their respective owners. Trademark information: illumina.com/company/legal.html. Privacy policy: illumina.com/company/legal/privacy.html
On December 10, 2021, Illumina was made aware of vulnerabilities in the Apache Log4j software suite. This software component is a Java-based logging utility and part of the Apache Logging Services Foundation products. Illumina uses this software as part of certain components of the Illumina LIMS product.
Issues addressed: CVE-2021-44228 CVSS 10.0 Critical (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVE-2021-45046 CVSS 9.0 Critical (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) CVE-2021-44832 CVSS 3.1 Medium (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) For both products, reference https://logging.apache.org/log4j/2.x/security.html
Illumina takes Data Privacy and Security issues very seriously, and we hope this information helps alleviate any concerns about this vulnerability. If you have any questions, contact techsupport@illumina.com.
Steps required to remedy Log4j vulnerability on Illumina LIMS servers
Log into Illumina LIMS server - either directly or with Windows Remote Desktop.
Search for Monitor Tomcat in the Windows start menu, and launch it.
Navigate to the Java tab, and perform the following: * Add the line to the Java Options: -Dlog4j2.formatMsgNoLookups=True
Select Apply.
Select OK.
Alternatively, the fix can be applied via the system environmental variables.
Use Windows Search to find Edit the system environment variables.
Select the **Environment Variables...**button.
Select New below the list of System variables.
In the New System Variable window, enter in Variable name:
log4j2.formatMsgNoLookup with the Variable Value: ‘true’
See section highlighted in the following screenshot:
Select OK.
Restart Tomcat Service:
Navigate to Services using the Start menu.
Select IlluminaLIMS_Tomcat9.
Select Stop the service in the left column.
Select Start the service.
Log out of the LIMS server.
Notify Illumina Tech Support. For tracking and management purposes, email techsupport@illumina.com to inform Tech Support that the fix is in place.
For any feedback or questions regarding this article (Illumina Knowledge Article #6336), contact Illumina Technical Support techsupport@illumina.com.