Ellucian is aware of and actively monitoring Apache Log4j CVE-2021-45046 and CVE-2021-44228. Please review the linked CVEs for details.
Where needed, we are putting mitigations in place for Ellucian products per Apache's Log4j Security Vulnerabilities including upgrading all Log4j to 2.16. We are aware of 2.17. Our plan is to continue the work underway to release 2.16 as quickly as possible for affected products. For products using Log4j version 1.x, we are planning upgrades for these products as a second priority to the affected products. We will continue to monitor and we will update here if circumstances change.
Links to Ellucian Knowledge Articles will open the Ellucian Customer Center and require credentials to access. If you are an Ellucian customer and do not have an Ellucian Customer Center account, please use the Sign Up link available on the Ellucian Customer Center page.
This page contains the current status of all Ellucian products. For status of Ellucian partner products, click here.
Ellucian products using Apache Log4j and affected
Banner Analytics
- Dec 22, 2021 (current): Third party Oracle component and third party IBM component affected. Banner Analytics downloads from Ellucian Download Center have been disabled. IBM patches are now available. Customers should download either from Ellucian or IBM via the method you normally use.
Prior updates
- Dec 17, 2021: Third party Oracle component and third party IBM component affected. Banner Analytics downloads from Ellucian Download Center have been disabled. IBM patches are now available. Customers should download either from Ellucian or IBM via the method you normally use.
- Dec 16, 2021: Third party Oracle component and third party IBM component affected. Banner Analytics downloads from Ellucian Download Center have been disabled. An additional update will be posted Dec 18, 2021 addressing IBM's guidance.
- Dec 15, 2021: Third party Oracle component affected. Downloads from Ellucian Download Center have been disabled. Planning upgrade; will post target release date for upgrade once available.
Ellucian Colleague
- Dec 30, 2021 (current):
- Ellucian Cloud: Upgrade process for the releases including Apache Log4j 2.16 to prod complete. Cloud customers received specific updates for their upgrades via standard notification methods.
Prior updates
- Dec 23, 2021: In addition to the releases noted below, other changes have occurred to the Dec 16, 2021 release plans. Please review the Release Calendar for additional information.
- Ellucian Cloud: Upgrade process for the releases including Apache Log4j 2.16 to prod will be completed Dec 29, 2021. Cloud customers will receive specific updates for their upgrades via standard notification methods.
- On-Premise: Release including Apache Log4j became available for download Dec 20, 2021. Additionally, for customers using Ellucian-delivered JMeter scripts to configure Colleague Self Service applications, be aware that most versions of JMeter are affected. Apache has now patched JMeter. Customers should apply Apache’s patches before restarting these scripts.
- Dec 20, 2021: In addition to the releases noted below, other changes have occurred to the Dec 16, 2021 release plans. Please review the Release Calendar for additional information.
- Ellucian Cloud: Upgrade process for the releases including Apache Log4j 2.16 to non-prod started Dec 20, 2021. Cloud customers will receive specific updates for their upgrades via standard notification methods.
- On-Premise: Release including Apache Log4j became available for download Dec 20, 2021. Additionally, for customers using Ellucian-delivered JMeter scripts to configure Colleague Self Service applications, be aware that most versions of JMeter are affected. Apache has now patched JMeter. Customers should apply Apache’s patches before restarting these scripts.
- Dec 18, 2021: In addition to the releases noted below, other changes have occurred to the Dec 16, 2021 release plans. Please review the Release Calendar for additional information.
- Ellucian Cloud: Upgrade work for Apache Log4j 2.16 is in progress and will be released to non-prod starting Dec 20, 2021. Cloud customers will receive specific updates for their upgrades via standard notification methods.
- On-Premise: Upgrade work for Apache Log4j 2.16 is in progress and will be released for download on Dec 20, 2021. Until the upgrade is available, Ellucian recommends customers take the steps linked here. Additionally, for customers using Ellucian-delivered JMeter scripts to configure Colleague Self Service applications, be aware that most versions of JMeter are affected. Apache has now patched JMeter. Customers should apply Apache’s patches before restarting running these scripts.
- Dec 17, 2021: In addition to the releases noted below, other changes have occurred to the Dec 16, 2021 release plans. Please review the Release Calendar for additional information.
- Ellucian Cloud: Upgrade work for Apache Log4j 2.16 is in progress and will be released to non-prod on Dec 20, 2021 with a target prod release of Dec 22, 2021.
- On-Premise: Upgrade work for Apache Log4j 2.16 is in progress and will be released for download on Dec 20, 2021. Until the upgrade is available, Ellucian recommends customers take the steps linked here. Additionally, for customers using Ellucian-delivered JMeter scripts to configure Colleague Self Service applications, be aware that most versions of JMeter are affected. Apache has now patched JMeter. Customers should apply Apache’s patches before restarting running these scripts.
- Dec 16, 2021: In addition to the releases noted below, other changes have occurred to the Dec 16, 2021 release plans. Please review the Release Calendar for additional information.
- Ellucian Cloud: Upgrade work for Apache Log4j 2.16 is in progress and will be released to non-prod on Dec 20, 2021 with a target prod release of Dec 22, 2021.
- On-Premise: Upgrade work for Apache Log4j 2.16 is in progress and will be released for download on Dec 20, 2021. Until the upgrade is available, Ellucian recommends customers take the steps linked here. Additionally, for customers using Ellucian-delivered JMeter scripts to configure Colleague Self Service applications, be aware that most versions of JMeter are affected. Customers should pause running these scripts until Apache patches JMeter.
- Dec 15, 2021: In addition to the releases noted below, other changes have occurred to the Dec 16, 2021 release plans. Please review the Release Calendar for additional information.
- Ellucian Cloud: Upgrade work for Apache Log4j 2.16 is in progress and will be released to non-prod on Dec 20, 2021 with a target prod release of Dec 22, 2021.
- On-Premise: Upgrade work for Apache Log4j 2.16 is in progress and will be released for download on Dec 20, 2021. Until the upgrade is available, Ellucian recommends customers take the steps linked here.
Ellucian Analytics
- Dec 16, 2021 6:30PM EST (current): Mitigations to address the log4j-core vulnerabilities have been deployed for Ellucian Analytics and service has been restored.
Prior updates
- Dec 15, 2021: Ellucian has moved the Ellucian Analytics platform offline as we investigate whether a Tableau component is impacted.
Ellucian Elevate
- Dec 20, 2021 (current): Ellucian upgraded to 2.16 on Dec 20th, 2021.
Prior updates
- Dec 16, 2021: Ellucian upgraded to 2.15 on Dec 13, 2021. Upgrade to 2.16 to be completed in non-prod by Dec 16, 2021 and prod by Dec 21, 2021.
- Dec 15, 2021: Ellucian Cloud: Ellucian upgraded to 2.15 on Dec 10th, 2021. Upgrade of Jasper Report Server and Web Tier to 2.16 to be completed in non-prod by Dec 17, 2021 and prod by Dec 18, 2021.
Ellucian Ethos Identity
- Dec 16, 2021 (current): Downloads for EIS versions based on WSO2 Identity server 5.9.0 and above (EIS 5.10.0, 5.10.1, and 5.10.2) have been disabled in the Ellucian Download Center. Customers with on-premise deployments should follow mitigation provided by WSO2 (linked above). Planning upgrade; will post target release date for upgrade once available from WSO2.
Prior updates
- Dec 15, 2021: Downloads for EIS versions based on WSO2 Identity server 5.9.0 and above (EIS 5.10.0, 5.10.1, and 5.10.2) have been disabled in the Ellucian Download Center. Planning upgrade; will post target release date for upgrade once available.
Ellucian Quercus
- Dec 20, 2021 (current)
- Ellucian Cloud: Ellucian upgraded to 2.16 on Dec 20th, 2021.
- (no change) On-premise: Ellucian recommends that customers upgrade to Apache Log4j 2.16 on all servers used for Quercus (including JasperSoft). Customers will need to modify and run a version of Ellucian’s Cloud update Script for Jasper Report Server for their on-premise Jasper Report Server using the base script located here. This script is written for a Docker deployed Jasper Report Server.
Prior updates
- Dec 16, 2021
- Ellucian Cloud: Ellucian upgraded to 2.15 on Dec 10th, 2021. Upgrade of Jasper Report Server and Web Tier to 2.16 to be completed in non-prod by Dec 17, 2021 and prod by Dec 18, 2021.
- On-premise: Ellucian recommends that customers upgrade to Apache Log4j 2.16 on all servers used for Quercus (including JasperSoft). Customers will need to modify and run a version of Ellucian’s Cloud update Script for Jasper Report Server for their on-premise Jasper Report Server using the base script located here. This script is written for a Docker deployed Jasper Report Server.
- Dec 15, 2021
- Ellucian Cloud: Ellucian upgraded to 2.15 on Dec 13, 2021. Upgrade to 2.16 to be completed in non-prod by Dec 16, 2021 and prod by Dec 21, 2021.
- On-premise: Ellucian recommends that customers upgrade to Apache Log4j 2.16 on all servers used for Quercus (including JasperSoft). Customers will need to modify and run a version of Ellucian’s Cloud update Script for Jasper Report Server for their on-premise Jasper Report Server using the base script located here. This script is written for a Docker deployed Jasper Report Server.
Ellucian products using Apache Log4j and not impacted
NOTE: The products below are not specifically configured to use JMSAppender by default
Banner Admin
Banner Enterprise Identity Services (BEIS)
Banner Integration for eLearning
Banner Integration for eProcurement
Banner Self Service 8.x
Banner Workflow
Banner Document Management (includes Banner Document Retention)
Ellucian Advance Web Connector
Ellucian eTranscripts
eTranscripts partners:
Ellucian Mobile
Luminis
Ellucian Solution Manager
- Dec 30, 2021 (current): TBD
Prior updates
- Dec 22, 2021: Upgrade to Apache Log4j 2.17 released Dec 22, 2021.
- Dec 15, 2021: Is not affected because, although ESM has an Apache Log4j 2.x version, log4j is not used in a way that could be exploited. Upgrade to 2.16 planned for release by Dec 23, 2021.
Ellucian products that do not have Apache Log4j and are not impacted
Banner Event Publisher
Banner 9 Self Service
Note that older versions of Banner Self Service 9 use Grails 2.x. and Log4j 1.x and are not impacted.
Colleague Analytics
CRM Advance
CRM Advise
CRM Recruit
Ellucian Advance / Advance Web
Ellucian Data Access
Ellucian Design Path
Ellucian Degree Works
Ellucian ePrint
Ellucian Ethos API & API Management Center
Ellucian Ethos Extend
Ellucian Ethos Integration
Ellucian Experience
Ellucian Intelligent Platform (ILP)
Ellucian International Student and Scholar Management (ISSM)
Ellucian Message Service (EMS)
Ellucian Messaging Adapter (EMA)
Ellucian Payment Gateway
Ellucian Portal
Ellucian Workflow
Ellucian PowerCampus
History
- Dec 30: Product status updated for Colleague (Ellucian Cloud)
- Dec 23: Product status updated for Colleague (Ellucian Cloud)
- Dec 22: Product status updated for Banner Analytics and Ellucian Solution Manager
- Dec 21: Updated header; added info on JMSAppender for not impacted products
- Dec 20: Product status updates for Colleague, Elevate, and Quercus
- Dec 18: Header update; product status update for Colleague
- Dec 17: Format change; status updated for Colleague, eTranscripts, Banner Analytics, and Banner Self Service
- Dec 16: Updates to status for the following products: Banner Analytics, Ellucian Ethos Identity, Colleague, Quercus, Elevate, and Ellucian Analytics
- Dec 15: Final e-mail to customers; updates shift to this page (first version published)
- Dec 13: Updates e-mailed to customers
- Dec 11: Updates e-mailed to customers
- Dec 10: First e-mail alert to customers
