Summary of Log4j Use in LI‑COR Software

Like many software applications, LI‑COR software uses a third-party library from the Apache Software Foundation called "Log4j". Log4j is code that provides an efficient way for software applications to record important software operations, which is a critical part of almost all software applications.

Recently, security vulnerabilities were discovered in some versions of Log4j (CVE-2021-45105, CVE-2021-45046, CVE-2021-44832, CVE-2021-44228). Although Empiria Studio┬« Software and LI‑COR┬« Acquisition Software do use affected versions of Log4j, LI‑COR engineers have determined that the use of Log4j in Empiria Studio and LI‑COR Acquisition does not constitute a security problem for computers that have not already been compromised in some other way. If you keep your computer safe following appropriate security measures, the use of Log4j in Empiria Studio and LI‑COR Acquisition does not pose a security risk.

Out of an abundance of caution, new versions of Empiria Studio and LI‑COR Acquisition will be released at the end of January 2022 with a new version of Log4j that does not have the vulnerabilities.

More Detail

The software applications listed below use Log4j. The applications either do not use the vulnerable features of Log4j or the use of Log4j in the application does not pose a problem for computers that have not already been compromised.

CVE Empiria Studio Software LI‑COR Acquisition Software Image Studio Software
CVE-2021-45105 This vulnerability requires the use of Thread Context Map. Empiria Studio does not use Thread Context Map. This vulnerability requires the use of Thread Context Map. LI‑COR Acquisition does not use Thread Context Map. This vulnerability requires the use of Thread Context Map. Image Studio does not use Thread Context Map.
CVE-2021-45046 This vulnerability requires the use of Thread Context Map. Empiria Studio does not use Thread Context Map. This vulnerability requires the use of Thread Context Map. LI‑COR Acquisition does not use Thread Context Map. This vulnerability requires the use of Thread Context Map. Image Studio does not use Thread Context Map.
CVE-2021-44832 This vulnerability requires the use of JDBC Appender. Empiria Studio does not use JDBC Appender. This vulnerability requires the use of JDBC Appender. LI‑COR Acquisition does not use JDBC Appender. This vulnerability requires the use of JDBC Appender. Image Studio does not use JDBC Appender.
CVE-2021-44228 The use of Log4j in Empiria Studio does not pose a problem for computers that have not already been compromised. The use of Log4j in LI‑COR Acquisition does not pose a problem for computers that have not already been compromised. Uses a version of Log4j that does not contain the CVE-2021-44228 vulnerability.

Third-Party Library Definition

The term "third-party library" refers to code that is included in a software application but that was written by someone other than the primary developer of the software application. Third-party libraries are created to perform functions that are common to many software applications so that the functions do not have to be re-developed in each software application that needs to perform the function. Developers include third-party libraries in their software applications so that they can focus on developing unique features for the people who use their software.

It is a standard practice in the software industry to use third-party libraries.