Is MassLynx or its associated processing software affected by the log4j (CVE-2021-44228) vulnerability? - WKB224560

ENVIRONMENT

• MassLynx 4.2
• MassLynx 4.1

ANSWER

Apache Log4j Vulnerability Update Feb 03,2022

Waters is aware of the "zero day" vulnerability (CVE-2021-44228), announced by security researchers on Dec. 9, 2021, affecting a common software package (Apache log4j). Because log4j is widely used across web applications and cloud service providers, the full scope of this vulnerability is complex, and its impact is still being determined. Waters product and engineering teams continue to investigate this matter. Waters will provide updates for its customers about the log4j vulnerability as needed and will notify customers when the assessment is complete.

As part of our initial investigation, it has been determined that the Waters MassLynx software, listed below, and its associated components are not impacted by the Apache log4j vulnerability.

The following Waters software has been analyzed for the presence of log4j*.jar files:

• MassLynx 4.2. (including FractionLynx, IonLynx, TargetLynx, OpenLynx, ChromaLynx, MetaboLynx, BioLynx, and Maxent options from MassLynx installer)
• MassFragment
• Driftscope 3.0
• BiopharmaLynx 1.3.5
• MSe Dataviewer 2.0
• Progenesis QI
• Progenesis QI for Proteomics
• Symphony
• HDI1.6,
• DynamX3.0
• HDMS Compare 2.0
• PromassBridge 1.2
• LiveID1.2
• MassLynx Skyline Interface 1.2
• Waters Compression and Noise Reduction Tool (SCN968)
• PLGS3.0.3
• Driver Pack 2021 R1

Of these software components, only the PLGS3.0.3 installation folder contains a log4j jar file. PLGS uses version log4j 1.2.17, which is not listed as a vulnerable version of log4j in the most recently issued security alert from Apache (https://logging.apache.org/log4j/2.x/security.html). Log4j 1.2.17.jar does not contain the JMSAppender.class file associated with the reported vulnerability.

ADDITIONAL INFORMATION