Does the Log4Shell (log4j) vulnerability impact Empower? - WKB224539

ENVIRONMENT

• Empower 3.7
• Empower 3.6.1
• Empower 3.6.0
• Empower 3 FR5, including subsequent service releases and hotfixes
• Empower 3 FR4, including subsequent service releases and hotfixes
• Empower 3 FR3, including subsequent service releases and hotfixes
• Empower 3 FR2, including subsequent service releases and hotfixes
• Empower QS
• Empower QSN
• Log4Shell
• Log4j
• CVE-2021-44228
• CVE-2021-45046

ANSWER

Apache Log4j Vulnerability Update Feb 03,2022

Waters is aware of the "zero day" vulnerability (CVE-2021-44228), announced by security researchers on Dec. 9, 2021, affecting a common software package (Apache log4j). Because log4j is widely used across web applications and cloud service providers, the full scope of this vulnerability is complex, and its impact is still being determined. Waters product and engineering teams continue to investigate this matter for potential impacts to Waters software products. Waters will provide updates about its findings and will notify customers with relevant information and/or instructions.

Waters Empower Chromatography Data System

Waters performed an assessment of the Empower Chromatography Data System (CDS) application binaries and the third-party software code included in standard Empower deployments. Waters’ current findings are documented below. Please continue to check this page for further updates.

• For all versions of Waters Empower CDS, the Empower application codebase is not built on Java and does not use Apache log4j libraries.

• Empower Personal, Empower Workgroup, and Empower Enterprise are offered with Oracle database installations that contain Apache log4j libraries (see more detail below), but default implementations of Empower CDS supported by Waters do not rely on or use log4j libraries for normal application functions.
   
• Waters tested all supported versions of Empower and determined that the directories containing affected Log4j libraries deployed by Oracle installations using the Waters supplied media can be safely quarantined or removed. Quarantine by archiving the affected directories using zip or equivalent utility is recommended over removal because it’s reversible and thus less prone to errors.

 

• Empower 3.6.x
• Default installations of Empower Personal, Empower Workgroup, and Empower Enterprise version(s) 3.6.x include Oracle Database installations that contain Apache log4j libraries. Vulnerability scans of these environments may identify vulnerable versions of Apache log4j libraries. Affected log4j libraries are located at:

\Empower\Oracle\Oracle19c\md\property_graph\lib
This is part of the Oracle Spatial product bundled together with the Oracle database software. A patch for it is listed in Oracle Doc ID 2830143.1. However, this component is not used by the Empower CDS product. The parent directory \Empower\Oracle\Oracle19c\md can be safely quarantined or removed without impacting normal operation of Empower.

\Empower\Oracle\Oracle19c\sqldeveloper\sqldeveloper\lib
While an affected log4j library is present, it is not used by SQL Developer. (Oracle Doc ID 2828123.1) SQL Developer is neither used nor mandatory for Empower product operation. The parent directory \Empower\Oracle\Oracle19c\sqldeveloper can be safely quarantined or removed without impacting normal operation of Empower.

\Empower\Oracle\Oracle19c\suptools\tfa\release\tfa_home\jlib
This is part of the Oracle Trace File Analyzer product bundled together with the Oracle database software. A patch for it is listed in Oracle Doc ID 2830143.1. However, this component is not used by the Empower CDS product. The parent directory \Empower\Oracle\Oracle19c\suptools\tfa can be safely quarantined or removed without impacting normal operation of Empower.

• Default installations of Empower Client or Empower LAC/E version(s) 3.6.x do not contain Apache Log4j libraries and are not affected by the Log4j vulnerabilities.

 

• Empower 3 FR5
• Default installations of Empower Personal, Empower Workgroup, and Empower Enterprise based on Empower 3 FR5 include Oracle Database installations that contain Apache log4j libraries. Vulnerability scans of these environments may identify vulnerable versions of Apache log4j libraries. Affected log4j libraries are located at:

\Empower\Oracle\Oracle18c\md\jlib
This is part of the Oracle Spatial product bundled together with the Oracle database software. A patch for it is listed in Oracle Doc ID 2830143.1. However, this component is not used by the Empower CDS product. The parent directory \Empower\Oracle\Oracle18c\md can be safely quarantined or removed without impacting normal operation of Empower.

\Empower\Oracle\Oracle18c\md\property_graph\lib
This is part of the Oracle Spatial product bundled together with the Oracle database software. A patch for it is listed in Oracle Doc ID 2830143.1. However, this component is not used by the Empower CDS product. The parent directory \Empower\Oracle\Oracle18c\md can be safely quarantined or removed without impacting normal operation of Empower

\Empower\Oracle\Oracle18c\sqldeveloper\sqldeveloper\lib
While an affected log4j library is present, it is not used by SQL Developer. (Oracle Doc ID 2828123.1) SQL Developer is neither used nor mandatory for Empower product operation. The parent directory \Empower\Oracle\Oracle18c\sqldeveloper can be safely quarantined or removed without impacting normal operation of Empower.

\Empower\Oracle\Oracle18c\sqldeveloper\sqldeveloper\extensions\oracle.sqldeveloper.onsd\lib
While an affected log4j library is present, it is not used by SQL Developer. (Oracle Doc ID 2828123.1) SQL Developer is neither used nor mandatory for Empower product operation. The parent directory \Empower\Oracle\Oracle18c\sqldeveloper can be safely quarantined or removed without impacting normal operation of Empower.

\Empower\Oracle\Oracle18c\oui\jlib
Oracle Universal Installer is not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

• Default installations of Empower Client or Empower LAC/E version based on Empower 3 FR5 do not contain Apache Log4j libraries and are not affected by the log4j vulnerabilities. .

 

• Empower 3 FR4
• Default installations of Empower Personal, Empower Workgroup, and Empower Enterprise based on Empower 3 FR4 include Oracle Database installations that contain Apache log4j libraries. Vulnerability scans of these environments may identify vulnerable versions of Apache log4j libraries. Affected Log4j libraries are located at:

\Empower\Oracle\Oracle12c\ccr\lib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle12c\oc4j\ant\lib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle12c\sysman\jlib\ocm
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle12c\sqldeveloper\sqldeveloper\lib
While an affected log4j library is present, it is not used by SQL Developer. (Oracle Doc ID 2828123.1) SQL Developer is neither used nor mandatory for Empower product operation. The parent directory \Empower\Oracle\Oracle12c\sqldeveloper can be safely quarantined or removed without impacting normal operation of Empower.

\Empower\Oracle\Oracle12c\oui\jlib\jlib
Oracle Universal Installer is not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

• Default installations of Empower Client or Empower LAC/E version based on Empower 3 FR4 contain Apache log4j libraries located at:

\Empower\Oracle\Oracle12cClient\oui\jlib\jlib
Oracle Universal Installer is not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

• Empower 3 FR3
• Default installations of Empower Personal, Empower Workgroup, and Empower Enterprise based on Empower 3 FR3 contain Oracle Database installations that contain Apache log4j libraries. Vulnerability scans of these environments may identify vulnerable versions of Apache log4j libraries. Apache log4j libraries are located at:

\Empower\Oracle\Oracle11g_4\ccr\lib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle11g_4\oc4j\ant\lib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle11g_4\sysman\jlib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle11g_4\sysman\jlib\ocm
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle11g_4\oui\jlib\jlib
Oracle Universal Installer is not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

• Default installations of Empower Client or Empower LAC/E version based on Empower 3 FR3 contain Apache log4j libraries. Apache log4j libraries are located at:

\Empower\Oracle\Oracle11gClient_4\oui\jlib\jlib
Oracle Universal Installer is not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle11gClient_4\sysman\jlib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

 

• Empower 3 FR2
• Default installations of Empower Personal, Empower Workgroup, and Empower Enterprise based on Empower 3 FR2 include Oracle Database installations that contain Apache log4j libraries. Vulnerability scans of these environments may identify vulnerable versions of Apache log4j libraries. Apache log4j libraries are located at:

\Empower\Oracle\Oracle11g_2\sysman\jlib\ocm
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle11g_2\sysman\jlib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle11g_2\oui\jlib\jlib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle11g_2\oc4\ant\lib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle11g_2\ccr\lib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle11g_2\inventory\scripts\ext\jlib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

• Default installations of Empower Client or Empower LAC/E version based on Empower 3 FR2 contain Apache log4j libraries. Vulnerability scans of these environments may identify vulnerable versions of Apache log4j libraries. Apache log4j libraries are located at:

\Empower\Oracle\Oracle11gClient_2\sysman\jlib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle11gClient_2\oui\jlib\jlib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle11gClient_2\OPatch\ocm\lib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

\Empower\Oracle\Oracle11gClient_2\ccr\lib
version 1.x log4j libraries are not affected by log4j vulnerabilities. (Oracle Doc ID 2830143.1)

 

• Waters has also assessed possible impacts of the log4j vulnerability on the following products that are often used in conjunction with Empower.

Sample Set Generator

Empower Inventory Viewer

Sample Weight Importer

Waters Data Converter v2.1

Waters Data Converter V3.2

SecureSync v1.0

Waters Instrument Drivers

Waters ICF Support Layer

Agilent Instrument Control Framework and related drivers were scanned for the presence of log4j libraries. None was found.

ADDITIONAL INFORMATION

For Empower database installations not leveraging Waters-supplied Oracle database software, please contact the appropriate vendor for an assessment of this vulnerability within the specific environment.