Skip to main content
Waters Employee Login
 
Waters

Does the Apache "Log4Shell" vulnerability in log4j affect NuGenesis? - WKB224434

  1. Last updated
  2. Save as PDF
Article number: 224434

ENVIRONMENT

  • NuGenesis 9
    • Oracle 19c / NuGenesis 9.1
    • Oracle 12c / NuGenesis 9.0
    • JasperSoft Studio v5
  • NuGenesis 8
    • Oracle 11gR2
  • Log4Shell (Log4j version 2)
    • CVE-2021-44228
    • CVE-2021-45046
    • CVE-2021-45105
  • Log4Shell (Log4j versions 1 and 2)
    • CVE-2021-4104

ANSWER

Apache Log4j Vulnerability Update February 03, 2022

Waters is aware of the "zero day" vulnerability (CVE-2021-44228), announced by security researchers on Dec. 9, 2021, affecting a common software package (Apache Log4J). Because Log4j is widely used across web applications and cloud service providers, the full scope of this vulnerability is complex, and its impact is still being determined. Waters product and engineering teams continue to investigate this matter for potential impacts to Waters software products. Waters will provide updates about its findings and will notify customers with relevant information and/or instructions when the assessment is complete.

 

Waters NuGenesis

Waters performed an assessment of NuGenesis and Analytical Workflow Manager (AWM) application binaries and the third-party software code included in standard NuGenesis deployments. Vulnerability scans of these environments may identify the presence of Apache Log4j libraries. Version 1.x instances of Log4j libraries – indicated by Apache as not impacted (https://logging.apache.org/log4j/2.x/security.html) – are present in certain components of NuGenesis software.

Waters tested all supported versions of NuGenesis and Analytical Workflow Manager (AWM) and determined that the directories containing the affected Log4j libraries deployed by Oracle installations using the Waters-supplied media can be safely quarantined or removed. Quarantine by archiving the affected directories using zip or equivalent utility is recommended over removal because it’s reversible and thus less prone to errors. Waters’ current findings are documented below. Please continue to check this page for further updates.

 

  • NuGenesis 8 and 9 SDMS
  • The core SDMS application does not use Log4j v2 libraries.

The SDMS Instrument Agents included with all of the Data Adapter releases for NuGenesis 9.x and NuGenesis 8 SDMS contain a Log4j v1.2.8 library at:

<Drive:>\Program Files\Waters\SDMSInstrumentAgents\lib\org

The instrument agents are an optional feature of the Data Adapters and are not required in all systems. The default logging configuration for the agents does not use the JMSAppender class and therefore is not impacted. (see Apache security alert: https://logging.apache.org/log4j/2.x/security.html)

 

  • NuGenesis 8 and 9 LMS
  • NuGenesis LMS makes use of Log4j libraries on the LMS Server located at:

NuGenesis 8 LMS Server:
<Drive:>\WatersLMSServer\lib\org
<Drive:>\WatersLMSServer\Jboss-6.0.0.Final\client
<Drive>\WatersLMSServer\Jboss-6.0.0.Final\common\lib

The default logging configuration for the Jboss log manager does not use the JMSAppender class and therefore is not impacted (see Apache security alert: https://logging.apache.org/log4j/2.x/security.html)

NuGenesis 9.x LMS Server:
<Drive:>\WatersLMSServer\Wildfly-11.0.0.Final\modules\system\layers\base\org\jboss\log4j\logmanager\main - present in all installs
<Drive:>\WatersLMSServer\SAPInterface\actback\lib3rd\wildfly - present only if the LMS-SAP Interface is installed
<Drive:>\WatersLMSServer\Workflow\actback\lib3rd\wildfly - present only if the NuGenesis Connectors server is installed

The Log4j version used (1.1.4) is not impacted by the Log4j V2 vulnerabilities (see Apache security alert: https://logging.apache.org/log4j/2.x/security.html)

 

  • NuGenesis 9.1, 9.2 Oracle Database (Oracle 19c)
  • Default installations of NuGenesis 9.1 and 9.2 include Oracle Database installations that contain Apache Log4j libraries. Vulnerability scans of these environments may identify vulnerable versions of Apache Log4j libraries. Affected Log4j libraries are located at:

<Drive:>\oracle\product\19.6.0\Oracle19c\suptools\tfa
This is part of the Oracle Trace File Analyzer product bundled together with the Oracle database software. A patch for it is listed in Oracle Doc ID 2830143.1. However, this component is not used by the NuGenesis product and the directory  <Drive:>\oracle\product\19.6.0\Oracle19c\suptools\tfa can be quarantined or removed without impacting normal operation of NuGenesis.

<Drive:>\oracle\product\19.6.0\Oracle19c\md
This is part of the Oracle Spatial product bundled together with the Oracle database software. A patch for it is listed in Oracle Doc ID 2830143.1. However, this component is not used by the NuGenesis product and the directory <Drive:>\oracle\product\19.6.0\Oracle19c\md can be quarantined or removed without impacting normal operation of NuGenesis.

 

  • NuGenesis 9.0 Oracle Database (Oracle 12c)
  • Default installations of NuGenesis 9.0 include Oracle Database installations that contain Apache Log4j libraries. Vulnerability scans of these environments may identify vulnerable versions of Apache Log4j libraries. Affected Log4j libraries are located at:

Version 1.x copies of the log4j v1 library are present in Oracle Database 12c and with the JasperSoft Studio program. Neither case requires any remediation. (where are the libraries?) In addition, JasperSoft Studio is used only to develop reports for NuGenesis LMS. Access to this application should be restricted only to those who develop Jasper reports.

<Drive:>\Program Files\TIBCO\Jaspersoft Studio-6.4.0\plugins
version 1.x Log4j libraries are not affected. (https://community.jaspersoft.com/wik...rsoft-products)

<Drive:>\oracle\product\12.2.0\Oracle12cR2\ccr\lib
version 1.x Log4j libraries are not affected. (Oracle Doc ID 2830143.1)

<Drive:>\oracle\product\12.2.0\Oracle12cR2\sqldeveloper\sqldeveloper\lib
While an affected Log4j library is present, it is not used by SQL Developer. (Oracle Doc ID 2828123.1) SQL Developer is neither used nor mandatory for NuGenesis product operation. The parent directory <Drive:>\oracle\product\12.2.0\Oracle12cR2\sqldeveloper can be quarantined or removed without impacting normal operation of NuGenesis.

<Drive:>\oracle\product\12.2.0\Oracle12cR2\oui\jlib\jlib
Oracle Universal Installer is not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)

<Drive:>\oracle\product\12.2.0\Oracle12cR2\sysman\jlib\ocm
version 1.x Log4j libraries are not affected. (Oracle Doc ID 2830143.1)

  • NuGenesis 8.x
  • Default installations of NuGenesis 8.x include Oracle Database installations that contain Apache Log4j libraries. Vulnerability scans of these environments may identify vulnerable versions of Apache Log4j libraries. Affected Log4j libraries are located at:

<Drive:>\oracle\product\11.2.0\SDMS\inventory\scripts\ext\jlib
version 1.x Log4j libraries are not affected. (Oracle Doc ID 2830143.1)

<Drive:>\oracle\product\11.2.0\SDMS\ccr\lib
version 1.x Log4j libraries are not affected. (Oracle Doc ID 2830143.1)

<Drive:>\oracle\product\11.2.0\SDMS\oui\jlib\jlib
Oracle Universal Installer is not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)

<Drive:>\oracle\product\11.2.0\SDMS\sysman\jlib
version 1.x Log4j libraries are not affected. (Oracle Doc ID 2830143.1)

<Drive:>\oracle\product\11.2.0\SDMS\sysman\jlib\ocm
version 1.x Log4j libraries are not affected. (Oracle Doc ID 2830143.1)

 

  • Analytical Workflow Manager (AWM) 2.0 
  • Default installations of AWM 2.0 include Oracle Database installations that contain 1.x Apache Log4j libraries. Vulnerability scans of these environments may detect the presence of Apache Log4j libraries. Log4j libraries are located at:  

<drive>:\app\oracle\product\12.1.0\dbhome_1\ccr 
version 1.x Log4j libraries are not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)  

<drive>:\app\oracle\product\12.1.0\dbhome_1\sysman  
version 1.x Log4j libraries are not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)  

<drive>:\app\oracle\product\12.1.0\dbhome_1\sqldeveloper 
version 1.x Log4j libraries are not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1) 

<drive>:\app\oracle\product\12.1.0\dbhome_1\oui 
Oracle Universal Installer is not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1) 

 

  • Waters has also assessed possible impacts of the log4j vulnerability on the following products that are often used in conjunction with NuGenesis; our initial investigation indicates no impact, and we continue to assess:
  • Paradigm - Log4j libraries are not present in default installations of Paradigm.

ADDITIONAL INFORMATION

 

id224434, ELN, NGLMS, NGLMSLIC, NGLMSOPT, SDMS, SDMS8, SDMS8NU, SUPISDMS, SUPNG

Not able to find a solution? Click here to request help.