Does the Apache "Log4Shell" vulnerability in log4j affect NuGenesis? - WKB224434

ENVIRONMENT

• NuGenesis 9
  • Oracle 19c / NuGenesis 9.1, 9.2, 9.3
  • Oracle 12c / NuGenesis 9.0
  • JasperSoft Studio v5, v6
• NuGenesis 8
  • Oracle 11gR2
• Log4Shell (Log4j version 2)
  • CVE-2021-44228
  • CVE-2021-45046
  • CVE-2021-45105
• Log4Shell (Log4j versions 1 and 2)
  • CVE-2021-4104

ANSWER

Waters performed an assessment of NuGenesis and Analytical Workflow Manager (AWM) application binaries and the third-party software code included in standard NuGenesis deployments. Vulnerability scans of these environments may identify the presence of Apache Log4j libraries. Version 1.x instances of Log4j libraries – indicated by Apache as not impacted (https://logging.apache.org/log4j/2.x/security.html) – are present in certain components of NuGenesis software.

Waters tested all supported versions of NuGenesis and Analytical Workflow Manager (AWM) and determined that the directories containing the affected Log4j libraries deployed by Oracle installations using the Waters-supplied media can be safely quarantined or removed. Quarantine by archiving the affected directories using zip or equivalent utility is recommended over removal because it’s reversible and thus less prone to errors. Waters’ current findings are documented below. Please continue to check this page for further updates.

NOTE: if a Log4j vulnerability is detected in a NuGenesis system and in a file outside of the paths given below, then the file is unused by NuGenesis.  Removal of the file(s) will not impact NuGenesis; however, they may affect functionality of the software packages associated with those files.

• NuGenesis 8 and 9 SDMS Applications
  • The core SDMS application does not use Log4j v2 libraries
  • The SDMS Instrument Agents included with all of the Data Adapter releases for NuGenesis 9.x and NuGenesis 8 SDMS contain a Log4j v1.2.8 library at:
    • Drive:\Program Files\Waters\SDMSInstrumentAgents\lib\org
  • The instrument agents are an optional feature of the Data Adapters and are not required in all systems. The default logging configuration for the agents does not use the JMSAppender class and therefore is not impacted. (see Apache security alert: https://logging.apache.org/log4j/2.x/security.html)
• NuGenesis 8 and 9 LMS Applications
  • NuGenesis LMS makes use of Log4j libraries on the LMS Server located at:
    • NuGenesis 8 LMS Server:
      • Drive:\WatersLMSServer\lib\org
      • Drive:\WatersLMSServer\Jboss-6.0.0.Final\client
      • Drive:\WatersLMSServer\Jboss-6.0.0.Final\common\lib
      • The default logging configuration for the Jboss log manager does not use the JMSAppender class and therefore is not impacted (see Apache security alert: https://logging.apache.org/log4j/2.x/security.html)
    • NuGenesis 9.x LMS Server:
      • Drive:\WatersLMSServer\Wildfly-11.0.0.Final\modules\system\layers\base\org\jboss\log4j\logmanager\main - present in all installs
      • Drive:\WatersLMSServer\SAPInterface\actback\lib3rd\wildfly - present only if the LMS-SAP Interface is installed
      • Drive:\WatersLMSServer\Workflow\actback\lib3rd\wildfly - present only if the NuGenesis Connectors server is installed
      • The Log4j version used (1.1.4) is not impacted by the Log4j V2 vulnerabilities (see Apache security alert: https://logging.apache.org/log4j/2.x/security.html)
    • JasperSoftStudio:
      • Drive:\Program Files\TIBCO\Jaspersoft Studio-6.4.0\plugins
      • These version 1.x Log4j libraries are not affected. (https://community.jaspersoft.com/wik...rsoft-products)
• ​​​​​​​NuGenesis 9.1, 9.2 Oracle Database (Oracle 19c)
  • Installations of NuGenesis 9.1 and 9.2 Oracle Databases on Windows have Log4j libraries in the following locations
    • Drive:\oracle\product\19.6.0\Oracle19c\suptools\tfa
      • This is part of the Oracle Trace File Analyzer product bundled together with the Oracle database software. A patch for it is listed in Oracle Doc ID 2830143.1. However, this component is not used by the NuGenesis product and the directory can be removed without impacting normal operation of NuGenesis​​​​​​​
    • Drive:\oracle\product\19.6.0\Oracle19c\md
      • This is part of the Oracle Spatial product bundled together with the Oracle database software. A patch for it is listed in Oracle Doc ID 2830143.1. However, this component is not used by the NuGenesis product and the directory can be removed without impacting normal operation of NuGenesis.
• NuGenesis 9.0 Oracle Database (Oracle 12c)
  • Installations of NuGenesis 9.1 and 9.2 Oracle Databases on Windows have Log4j libraries in the following locations:​​​​​​​
    • <Drive:>\oracle\product\12.2.0\Oracle12cR2\ccr\lib
      • These version 1.x Log4j libraries are not affected. (Oracle Doc ID 2830143.1)​​​​​​​
    • <Drive:>\oracle\product\12.2.0\Oracle12cR2\sqldeveloper\sqldeveloper\lib
      • While an affected Log4j library is present, it is not used by SQL Developer. (Oracle Doc ID 2828123.1) SQL Developer is neither used nor mandatory for NuGenesis product operation. The parent directory can be removed without impacting normal operation of NuGenesis​​​​​​​
    • <Drive:>\oracle\product\12.2.0\Oracle12cR2\oui\jlib\jlib
      • Oracle Universal Installer is not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)​​​​​​​
    • <Drive:>\oracle\product\12.2.0\Oracle12cR2\sysman\jlib\ocm
      • These version 1.x Log4j libraries are not affected. (Oracle Doc ID 2830143.1)
• NuGenesis 8.x Oracle Database (Oracle 11g)
  • Default installations of NuGenesis 8.x include Oracle Database installations that contain Apache Log4j libraries. Vulnerability scans of these environments may identify vulnerable versions of Apache Log4j libraries. Affected Log4j libraries are located at:​​​​​​​
    • <Drive:>\oracle\product\11.2.0\SDMS\inventory\scripts\ext\jlib
      • version 1.x Log4j libraries are not affected. (Oracle Doc ID 2830143.1)​​​​​​​
    • <Drive:>\oracle\product\11.2.0\SDMS\ccr\lib
      • version 1.x Log4j libraries are not affected. (Oracle Doc ID 2830143.1)​​​​​​​
    • <Drive:>\oracle\product\11.2.0\SDMS\oui\jlib\jlib
      • Oracle Universal Installer is not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)​​​​​​​
    • <Drive:>\oracle\product\11.2.0\SDMS\sysman\jlib
      • version 1.x Log4j libraries are not affected. (Oracle Doc ID 2830143.1)​​​​​​​
    • <Drive:>\oracle\product\11.2.0\SDMS\sysman\jlib\ocm
      • version 1.x Log4j libraries are not affected. (Oracle Doc ID 2830143.1)
• Analytical Workflow Manager (AWM) 2.0 
  • Default installations of AWM 2.0 include Oracle Database installations that contain 1.x Apache Log4j libraries. Vulnerability scans of these environments may detect the presence of Apache Log4j libraries. Log4j libraries are located at:​​​​​​​
    • <drive>:\app\oracle\product\12.1.0\dbhome_1\ccr 
      • version 1.x Log4j libraries are not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)​​​​​​​​​​​​​
    • <drive>:\app\oracle\product\12.1.0\dbhome_1\sysman
      • version 1.x Log4j libraries are not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)​​​​​​​
    • <drive>:\app\oracle\product\12.1.0\dbhome_1\sqldeveloper
      • version 1.x Log4j libraries are not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1)​​​​​​​
    • <drive>:\app\oracle\product\12.1.0\dbhome_1\oui
      • Oracle Universal Installer is not affected by Log4j vulnerabilities. (Oracle Doc ID 2830143.1) 
• Paradigm Scientific Search
  • Log4j libraries are not present in default installations of Paradigm

ADDITIONAL INFORMATION