konstjar
commented
2 years ago Thanks for reporting. It will be addressed ASAP
Open alex-golts opened 2 years ago
konstjar
commented
2 years ago Thanks for reporting. It will be addressed ASAP
ahammais
commented
2 years ago May I ask if this issue has been fixed? If we download a new vocabulary set from Athena now, which log4j version will we get in the cpt4.jar? Our data security personnel recommend we don't use anything below 2.17.1.
mik-ohdsi
commented
1 year ago Dear @konstjar - I think with the latest fixes in the CPT4.jar, the vulnerability should be fixed, too, right?
I found that the cpt4.jar file which is currently obtained from athena.ohdsi.org contains the 2.14 version of the Apache Log4j library which suffers from the "famous" recently found critical vulnerability. It would be much appreciated if the Log4j dependency could be updated to the latest version in the downloadable .jar file that is found at the Athena website. Thank you!