Summary of Log4j Use in LI‑COR Software
Like many software applications, LI‑COR software uses a third-party library from the Apache Software Foundation called "Log4j". Log4j is code that provides an efficient way for software applications to record important software operations, which is a critical part of almost all software applications.
Recently, security vulnerabilities were discovered in some versions of Log4j (CVE-2021-45105, CVE-2021-45046, CVE-2021-44832, CVE-2021-44228). Although Empiria Studio® Software and LI‑COR® Acquisition Software do use affected versions of Log4j, LI‑COR engineers have determined that the use of Log4j in Empiria Studio and LI‑COR Acquisition does not constitute a security problem for computers that have not already been compromised in some other way. If you keep your computer safe following appropriate security measures, the use of Log4j in Empiria Studio and LI‑COR Acquisition does not pose a security risk.
Out of an abundance of caution, new versions of Empiria Studio and LI‑COR Acquisition will be released at the end of January 2022 with a new version of Log4j that does not have the vulnerabilities.
More Detail
The software applications listed below use Log4j. The applications either do not use the vulnerable features of Log4j or the use of Log4j in the application does not pose a problem for computers that have not already been compromised.
| CVE | Empiria Studio Software | LI‑COR Acquisition Software | Image Studio Software |
|---|---|---|---|
| CVE-2021-45105 | This vulnerability requires the use of Thread Context Map. Empiria Studio does not use Thread Context Map. | This vulnerability requires the use of Thread Context Map. LI‑COR Acquisition does not use Thread Context Map. | This vulnerability requires the use of Thread Context Map. Image Studio does not use Thread Context Map. |
| CVE-2021-45046 | This vulnerability requires the use of Thread Context Map. Empiria Studio does not use Thread Context Map. | This vulnerability requires the use of Thread Context Map. LI‑COR Acquisition does not use Thread Context Map. | This vulnerability requires the use of Thread Context Map. Image Studio does not use Thread Context Map. |
| CVE-2021-44832 | This vulnerability requires the use of JDBC Appender. Empiria Studio does not use JDBC Appender. | This vulnerability requires the use of JDBC Appender. LI‑COR Acquisition does not use JDBC Appender. | This vulnerability requires the use of JDBC Appender. Image Studio does not use JDBC Appender. |
| CVE-2021-44228 | The use of Log4j in Empiria Studio does not pose a problem for computers that have not already been compromised. | The use of Log4j in LI‑COR Acquisition does not pose a problem for computers that have not already been compromised. | Uses a version of Log4j that does not contain the CVE-2021-44228 vulnerability. |
Third-Party Library Definition
The term "third-party library" refers to code that is included in a software application but that was written by someone other than the primary developer of the software application. Third-party libraries are created to perform functions that are common to many software applications so that the functions do not have to be re-developed in each software application that needs to perform the function. Developers include third-party libraries in their software applications so that they can focus on developing unique features for the people who use their software.
It is a standard practice in the software industry to use third-party libraries.