Is MassLynx or its associated processing software affected by the log4j (CVE-2021-44228) vulnerability? - WKB224560

ENVIRONMENT

• MassLynx
• ProteinLynx Global Server
• FractionLynx
• IonLynx
• TargetLynx 
• OpenLynx 
• ChromaLynx
• MetaboLynx
• BioLynx
• MaxEnt 

ANSWER

It has been determined that Waters' MassLynx software, listed below, and its associated components are not impacted by the Apache log4j vulnerability.

The following Waters software has been analyzed for the presence of log4j*.jar files:

• MassLynx (including FractionLynx, IonLynx, TargetLynx, OpenLynx, ChromaLynx, MetaboLynx, BioLynx, and Maxent options from MassLynx installer)
• MassFragment
• Driftscope 3.0
• BiopharmaLynx 1.3.5
• MSe Dataviewer 2.0
• Progenesis QI
• Progenesis QI for Proteomics
• Symphony
• HDI1.6,
• DynamX3.0
• HDMS Compare 2.0
• PromassBridge 1.2
• LiveID1.2
• MassLynx Skyline Interface 1.2
• Waters Compression and Noise Reduction Tool (SCN968)
• PLGS3.0.3
• Driver Pack 2021 R1

Of these software components, only the PLGS3.0.3 installation folder contains a log4j jar file.
PLGS uses version log4j 1.2.17, which is not listed as a vulnerable version of log4j in the most recently issued security alert from Apache (https://logging.apache.org/log4j/2.x/security.html). Log4j 1.2.17.jar does not contain the JMSAppender.class file associated with the reported vulnerability.

ADDITIONAL INFORMATION

The "zero day" vulnerability (CVE-2021-44228) was announced by security researchers on Dec. 9, 2021, affecting a common software package (Apache Log4j Vulnerability). Because log4j is widely used across web applications and cloud service providers, the full scope of this vulnerability is complex. MassLynx (all versions to date) does not contain log4j.