log4j security issue

[claycoleman]

Hi all, thanks for the great package – just wanted to raise the security issue for log4j that was exposed on Thursday. See here for more details: https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

Looks like this package has log4j.py that could be calling into log4j under the hood.

Is there any patch or upgrades that are needed to avoid any sort of problems as a result of this dependency?

[DavidStirling]

@bethac07 While code exists to call log4j it doesn't look like it's currently used. For the sake of security it's probably worth removing or replacing it. To my understanding Bioformats migrated from log4j to slf4j several years ago, and something similar was already done in prokaryote.

[bethac07]

Yes that is my understanding also.

https://github.com/CellProfiler/CellProfiler/commit/d026c4cd2ae895439e0fe99f079c1bd4176d473b

[bethac07]

FWIW, it looks like since 2020 python-bioformats has been using bioformats_package.jar, so per the linked issue here from bioformats, it seems all 4.X release versions should be fine. I'll dig out the non-functional legacy code that was calling to it, but I do not believe we are affected.

https://github.com/CellProfiler/python-bioformats/commit/ad5df31cae90db5e053dd693b73979758052af7c#diff-f6e62418513760b4fb33dfae61cee65ed1e975085ed1a30f9945b1b30e76872a

[bethac07]

Thanks @claycoleman for raising this!

[imagesc-bot]

This issue has been mentioned on Image.sc Forum. There might be relevant details there:

https://forum.image.sc/t/log4j-vulnerability-in-cellprofiler/61031/2