Bruker patches for Log4j CVE-2021-44228 issue

Last updated: 2:30 p.m. January 17th, 2022

Topspin

Affected versions 

  • TopSpin 3.5
  • Topspin 3.6
  • TopSpin 4 

Older versions of TopSpin use the Log4j 1.x version of the library, which is not affected.

How to apply the patch
The current version of Bruker patch is available here:

 

The patch automatically identifies product installations on your system and provides a graphical user interface for information.

Windows
The patch is delivered as executable file. After download, just double-click the file to start the patch. It automatically requests administrative privileges for execution.

Linux
The patch is delivered as executable file. After download, open a shell, ensure you have administration privileges on your machine, then execute the .sh file.

macOS
The patch is delivered as disk image. After download, double-click the .dmg file to mount it, then execute the installer file shown. You may need to go “System Preferences / Security & Privacy” and approve the execution of the installer.

 

Please find a change log and more information here: 

 

The TopSpin Log4j Patcher will fix existing TopSpin and GoScan installations that may use affected Log4j 2 versions. Details about the vulnerability are available here: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

This tool will remove the JndiLookup class from the installation. This is a recommended mitigation strategy described on the official Apache Log4j website: https://logging.apache.org/log4j/2.x/security.html#

 

Please note that the patch executable cannot be used on the CentOS 5 operating system (which is end of life since March 2017).

Last updated: 18:00 p.m. December 20th , 2021

ParaVision

Affected versions 

  • ParaVision 360

Older versions of ParaVision are based on older versions of TopSpin. These TopSpin versions use the Log4j 1.x version of the library, which is not affected.

How to apply the patch
The current version of Bruker patch is available here:

 

The patch is delivered as a compressed zip file. Please, unpack it and execute following command from the command line (shell or terminal). Execution of this script may require that you have administration privileges on your machine.

Linux

    cd ts-log4shell-patch
    ./bin/ts-log4shell-patch –d /opt/PV-360.3.2

Execute this script for each ParaVision 360 version you have installed.

The TopSpin Log4j Patcher (ts-log4shell-patch) will fix existing TopSpin installations that may use affected Log4j 2 versions. Details about the vulnerability are available here: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

This tool will remove the JndiLookup class from the installation. This is a recommended mitigation strategy described on the official Apache Log4j website: https://logging.apache.org/log4j/2.x/security.html#

Version 1.0.5 or later of the patch now handles the file bsmsserver.jar accordingly. This file was uncritical but could be detected by common scanning tools.

Last updated: 6:00 p.m. December 22nd , 2021

GoScan

Affected versions 

  • GoScan 3 

The patch for TopSpin installations can be used for GoScan installations as well. Please follow the instructions given for TopSpin above. The patch automatically identifies product installations on your system and provides a graphical user interface for information.

Note: For any GoScan version earlier than 3.0, please upgrade to the latest GoScan version first, then apply the patch.

Please download and run this patch even if you have applied earlier versions of the patch. Version 1.0.8 also removes backup copies of the affected file which are uncritical for your system but may still cause warnings by vulnerability scanners.

 

The GoScan Log4j Patcher (install4j-goscan-log4j2-patch) will fix existing GoScan installations that may use affected Log4j 2 versions. Details about the vulnerability are available here: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

This tool will remove the JndiLookup class from the installation. This is a recommended mitigation strategy described on the official Apache Log4j website: https://logging.apache.org/log4j/2.x/security.html#

Version 1.0.1 or later of the patch now handles the file bsmsserver.jar accordingly. This file was uncritical but could be detected by common scanning tools.

Last updated: 3:30 p.m. March 17th, 2022

Bruker Daltonics Software

Affected versions

Only the server part of the Bruker Daltonics client/server solutions

  • HyStar
  • BioPharma Compass®
  • ProteinScape®
  • TASQ®
  • MetaboScape®
  • and ToxTyper

is affected.

 

 

Details about the vulnerability are available here: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

This tool will remove the JndiLookup class from the installation. This is a recommended mitigation strategy described on the official Apache Log4j website: https://logging.apache.org/log4j/2.x/security.html#

 

The current version of Bruker patch is available here:

The log4j patch will fix existing Compass Server installations that use affected Log4j 2 versions. The patch is delivered as a compressed zip file, unpack the file and first read the instructions in the readme.txt file. Details on the patch and a step-by-step guide of the actions the script performs can be found in this document.

 

Check if your computer needs to be patched

Open the Windows Services dialog (You need administrative rights). Check if the Bruker Compass Server Service is present and running on your computer. If yes, apply the log4j-patch on this computer. If not, you do not need to take further action.

 

 

How to apply the patch

WARNING: Make sure that no measurements or data processing tasks are running. The execution of the script will stop and restart the Compass server service!

Extract content of the .zip file.You should see three files (patch-log4j2.bat, patch-log4j2.ps1, readme.txt) and one folder (patch-files).

Select the “patch-log4j2.bat” via left-mouse-button click. See screenshot (1)

Open the context menu for this file with right-mouse-button click.

Select “Run as administrator” to execute the batch file "patch-log4j2.bat" with administrative privileges. See screenshot (2)

IMPORTANT: Always run the script using "Run as administrator" even if you are logged in as user with administrative rights! If you are unsure about running scripts under administrative rights, please involve your local IT team for support.