Bruker patches for Log4j CVE-2021-44228 issue

Affected versions

Topspin 3.6
TopSpin 4

Older versions of TopSpin use the Log4j 1.x version of the library, which is not affected.

How to apply the patch
的铜rrent version of Bruker patch is available here:

Download ts-log4shell-patch-1.0.2.zip

The patch is delivered as a compressed zip file. Please, unpack it and execute following command from the command line (shell or terminal). Execution of this script may require that you have administration privileges on your machine.

Windows

cd ts-log4shell-patch
.\bin\ts-log4shell-patch.bat -d C:\Bruker\TopSpin4.0.9

Linux or macOS

cd ts-log4shell-patch
./bin/ts-log4shell-patch -d /opt/topspin4.0.9

Execute this script for each TopSpin version you have installed.

The TopSpin Log4j Patcher (ts-log4shell-patch) will fix existing TopSpin installations that may use affected Log4j 2 versions. Details about the vulnerability are available here:https://nvd.nist.gov/vuln/detail/CVE-2021-44228

This tool will remove the JndiLookup class from the installation. This is a recommended mitigation strategy described on the official Apache Log4j website:https://logging.apache.org/log4j/2.x/security.html#

Please note, that the file bsmsserver.jar is currently not patched. This is a service running on the spectrometer console and cannot be reached from the network. Therefore, the embedded Log4j does not create a risk. Future versions of the patch tool will then also update this file.

Topspin