Updated 3 January, 2022
We are continuing to remediate the Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228), also known as Log4Shell and CVE-2021-45046.
Log4j is a Java-based logging utility found in a wide number of software products.
The vulnerability was disclosed by the Apache Log4j project on Thursday, December 9, 2021. If exploited, it could potentially allow a remote attacker to execute code on the server if the system logs an attacker-controlled string value on an affected endpoint.
As soon as we learned of this vulnerability, ChemAxon promptly evaluated all cloud-hosted systems and customer premise agents to determine what might be impacted and methodically set about remediating any exposure.
The new incident CVE-2021-45046 poses no additional threat as all affected ChemAxon products are updated to use log4j 2.16.
The new incident CVE-2021-45105 involves no further ChemAxon product.
This page will continue to be updated as more information becomes available.
Products affected
ChemAxon is taking prompt action to patch and mitigate the potential impact of this vulnerability on: Fixes have been published in frequent releases for the following affected products
Postgres Cartridge - fix came with 21.20 frequent release and is available in Iodine.2 LTS and Helium.6
JChem Choral - fix came with 21.20 frequent release and is available in Iodine.2 LTS and Helium.6
Biomolecule Toolkit - fix came with 21.19 frequent release and is available in Iodine.2 LTS.
DataLink itself is not affected but it is often used together with Tableau. For information on the exposure of Tableau please consult the provider.
Unaffected products
All other ChemAxon products remain unaffected.
Other mitigations
We also recommend customers check whether any other (non-ChemAxon) software they are running may be impacted and check in with applicable vendors for available patches.
Next steps
We will continue to provide updates as necessary in this document.