Closed claycoleman closed 2 years ago
@bethac07 While code exists to call log4j it doesn't look like it's currently used. For the sake of security it's probably worth removing or replacing it. To my understanding Bioformats migrated from log4j to slf4j several years ago, and something similar was already done in prokaryote.
Yes that is my understanding also.
https://github.com/CellProfiler/CellProfiler/commit/d026c4cd2ae895439e0fe99f079c1bd4176d473b
FWIW, it looks like since 2020 python-bioformats has been using bioformats_package.jar
, so per the linked issue here from bioformats, it seems all 4.X release versions should be fine. I'll dig out the non-functional legacy code that was calling to it, but I do not believe we are affected.
Thanks @claycoleman for raising this!
This issue has been mentioned on Image.sc Forum. There might be relevant details there:
https://forum.image.sc/t/log4j-vulnerability-in-cellprofiler/61031/2
Hi all, thanks for the great package – just wanted to raise the security issue for
log4j
that was exposed on Thursday. See here for more details: https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/Looks like this package has
log4j.py
that could be calling into log4j under the hood.Is there any patch or upgrades that are needed to avoid any sort of problems as a result of this dependency?