saradeelstra
commented
2 years ago Also inquiring about Usagi software.
Closed saradeelstra closed 2 years ago
saradeelstra
commented
2 years ago Also inquiring about Usagi software.
MaximMoinat
commented
2 years ago Thanks for raising this issue. We are tracking the situation and will apply a patch like already being worked on for the OHDSI Atlas/WebApi. We will incorporate this in the next release of WhiteRabbit/Usagi.
At this point, I cannot give you a timeline. As WhiteRabbit/Usagi is typically run locally (ie. not hosted as a webservice), this currently does not have a high priority. If you are uncertain whether this tool may provide a vulnerability, please shut them off until we have implemented the patch.
MaximMoinat
commented
2 years ago Upon further investigation we found that WhiteRabbit (and Usagi) do not use Log4j, but apache commons-logging and slf4j-simple for logging. These are not susceptible to the Log4j vulnerability.
I’m sure you are well aware of the vulnerability with Log4j. We are needing to determine if White Rabbit is vulnerable. If so, do you plan on creating a patch or have a plan to patch?
If you could please respond asap, I would greatly appreciate it as we have a deadline of 12/22 to confirm no vulnerabilities, prior to shutting off services to the application.