Ellucian Response on Apache Log4j Issue
Where needed, we are putting mitigations in place for Ellucian products per Apache's Log4j Security Vulnerabilities including upgrading all Log4j to 2.16. We are aware of 2.17. Our plan is to continue the work underway to release 2.16 as quickly as possible for affected products. For products using Log4j version 1.x, we are planning upgrades for these products as a second priority to the affected products. We will continue to monitor and we will update here if circumstances change.
Links to Ellucian Knowledge Articles will open the Ellucian Customer Center and require credentials to access. If you are an Ellucian customer and do not have an Ellucian Customer Center account, please use the Sign Up link available on the Ellucian Customer Center page.
This page contains the current status of all Ellucian products. For status of Ellucian partner products, click here.
Ellucian products using Apache Log4j and affected
- Dec 22, 2021 (current): Third party Oracle component and third party IBM component affected. Banner Analytics downloads from Ellucian Download Center have been disabled. IBM patches are now available. Customers should download either from Ellucian or IBM via the method you normally use.
- Dec 30, 2021 (current):
- Ellucian Cloud: Upgrade process for the releases including Apache Log4j 2.16 to prod complete. Cloud customers received specific updates for their upgrades via standard notification methods.
- Dec 16, 2021 6:30PM EST (current): Mitigations to address the log4j-core vulnerabilities have been deployed for Ellucian Analytics and service has been restored.
- Dec 20, 2021 (current): Ellucian upgraded to 2.16 on Dec 20th, 2021.
Ellucian Ethos Identity
- Dec 16, 2021 (current): Downloads for EIS versions based on WSO2 Identity server 5.9.0 and above (EIS 5.10.0, 5.10.1, and 5.10.2) have been disabled in the Ellucian Download Center. Customers with on-premise deployments should follow mitigation provided by WSO2 (linked above). Planning upgrade; will post target release date for upgrade once available from WSO2.
- Dec 20, 2021 (current)
- Ellucian Cloud: Ellucian upgraded to 2.16 on Dec 20th, 2021.
- (no change) On-premise: Ellucian recommends that customers upgrade to Apache Log4j 2.16 on all servers used for Quercus (including JasperSoft). Customers will need to modify and run a version of Ellucian’s Cloud update Script for Jasper Report Server for their on-premise Jasper Report Server using the base script located here. This script is written for a Docker deployed Jasper Report Server.
Ellucian products using Apache Log4j and not impacted
NOTE: The products below are not specifically configured to use JMSAppender by default
Banner Enterprise Identity Services (BEIS)
Banner Integration for eLearning
Banner Integration for eProcurement
Banner Self Service 8.x
Banner Document Management (includes Banner Document Retention)
Ellucian Advance Web Connector
- Parchment has stated they use Log4j. Click here for more information.
- NSC has indicated they use Log4j. Please contact NSC for information on impact to their products.
Ellucian Solution Manager
- Dec 30, 2021 (current): TBD
Ellucian products that do not have Apache Log4j and are not impacted
Banner Event Publisher
Banner 9 Self Service
Note that older versions of Banner Self Service 9 use Grails 2.x. and Log4j 1.x and are not impacted.
Ellucian Advance / Advance Web
Ellucian Data Access
Ellucian Design Path
Ellucian Degree Works
Ellucian Ethos API & API Management Center
Ellucian Ethos Extend
Ellucian Ethos Integration
Ellucian Intelligent Platform (ILP)
Ellucian International Student and Scholar Management (ISSM)
Ellucian Message Service (EMS)
Ellucian Messaging Adapter (EMA)
Ellucian Payment Gateway
- Dec 30: Product status updated for Colleague (Ellucian Cloud)
- Dec 23: Product status updated for Colleague (Ellucian Cloud)
- Dec 22: Product status updated for Banner Analytics and Ellucian Solution Manager
- Dec 21: Updated header; added info on JMSAppender for not impacted products
- Dec 20: Product status updates for Colleague, Elevate, and Quercus
- Dec 18: Header update; product status update for Colleague
- Dec 17: Format change; status updated for Colleague, eTranscripts, Banner Analytics, and Banner Self Service
- Dec 16: Updates to status for the following products: Banner Analytics, Ellucian Ethos Identity, Colleague, Quercus, Elevate, and Ellucian Analytics
- Dec 15: Final e-mail to customers; updates shift to this page (first version published)
- Dec 13: Updates e-mailed to customers
- Dec 11: Updates e-mailed to customers
- Dec 10: First e-mail alert to customers