Ridom SeqSphere+ Client Patch for Log4j

NEW UPDATE AVAILABLE:

With the release of SeqSphere 8.2.0 the log4j library was updated to a version that is not affected by CVE-2021-44228.
Therefore it is strongly recommended to update to version 8.2 instead of using the patch described below!

 

If an update to version 8.2 is not possible at the moment:

SeqSphere prior 8.2 uses log4j library version 1.2, which is not directly affected by CVE-2021-44228. However, according to discussions it could occasionally be affected under certain very specific configurations. Therefore, as a precaution the following SeqSphere patch removes the critical classes from the log4j library (complete package org.apache.log4j.net) that are required for the exploition scenario.

This patch update can be installed to every SeqSphere+ version and does not change the SeqSphere+ version number. Alternatively to the prcocedures described below, the patch can also be installed manually by extracting the download files (with zip) and copying the content into the SeqSphere+ client/server installation folder.

Patching the Client

To install the file SeqSphere_Client_Log4j_Dec2021_patch.upd from below and import it by using the SeqSphere+ menu function:
Help | Import Update File

Patching the Server

  1. Download the file from SeqSphere_Server_Log4j_Dec2021_patch.upd below
  2. Use the SeqSphere+ Client and log in as Administrator
  3. Invoke menu function: Administration | Server System Administration
  4. Use the button Server Import Update and choose the downloaded file
  5. Wait until the server has finished the update and automatically shuts down, and restart it

After the patch was successfully installed, the SeqSpehre installation folder should contain the file log4j_patch_installed.txt.

[ICO]NameSize
[ ]SeqSphere_Server_Log4j_Dec2021_patch.upd390K
[ ]SeqSphere_Client_Log4j_Dec2021_patch.upd 14M

Copyright © Ridom GmbH, Germany