On December 10, 2021, Illumina was made aware of a vulnerability in the Apache Log4j software suite (CVE-2021-44228, CVE-2021-45046, and CVE-2021-44832). This software component is a Java-based logging utility and part of the Apache Logging Services Foundation products.

After Illumina became aware of the issue, we launched an investigation to identify potentially affected products and assess risk and have the following update:

The scope of products currently evaluated:

Status of evaluation:

• For all models other than HiSeq series: the base shipping configuration is not affected.
• For all HiSeq series models: the base shipping configuration is mitigated.
• For all models: certain software installations and configurations may introduce affected components.

Known Affected Components:

• Illumina Local Run Manager (LRM)
  • This optional software module ships with an optional subcomponent, the Genome Analysis Tool Kit (GATK, MIT), which contains an affected version of log4j v.1.x.
  • This component is not accessible remotely, requires authenticated console access, and requires a measurable amount of preparation to execute a successful attack.
  • This module is currently risk assessed as mitigated.
    CVSS 3.1 scale Base score: 6.1 Medium, Temporal and Environmental scores 5.4 Medium
    CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:U/RL:W/RC:C
• All HiSeq models:
  • All HiSeq models ship with the Broadcom LSI MegaRAID Storage Manager Suite installed. This software contains an affected version of log4j v.1.x. The default shipping configuration of the HiSeq unit blocks remote access to this component, which requires authenticated console access, and requires a measurable amount of preparation to execute a successful attack.
  • Note: If the device firewall settings have been disabled or modified, remote access to this software component on TCP:80 (HTTP) is possible. Customers are advised to confirm that any system modifications have not disabled the default firewall settings.
  • This module is currently risk assessed as mitigated.
    CVSS 3.1 scale Base score: 6.1 Medium, Temporal and Environmental scores 5.4 Medium
    CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:U/RL:W/RC:C

For updates on specific Illumina instruments, Illumina recommends that our customers monitor the Technical Bulletins page. Illumina will continue to provide updates as necessary based on our investigation.

Illumina takes data privacy and security issues very seriously, and we hope this information helps alleviate any concerns about this vulnerability. If you have any questions, email techsupport@illumina.com.