Closed saradeelstra closed 2 years ago
Also inquiring about Usagi software.
Thanks for raising this issue. We are tracking the situation and will apply a patch like already being worked on for the OHDSI Atlas/WebApi. We will incorporate this in the next release of WhiteRabbit/Usagi.
At this point, I cannot give you a timeline. As WhiteRabbit/Usagi is typically run locally (ie. not hosted as a webservice), this currently does not have a high priority. If you are uncertain whether this tool may provide a vulnerability, please shut them off until we have implemented the patch.
Upon further investigation we found that WhiteRabbit (and Usagi) do not use Log4j, but apache commons-logging
and slf4j-simple
for logging. These are not susceptible to the Log4j vulnerability.
I’m sure you are well aware of the vulnerability with Log4j. We are needing to determine if White Rabbit is vulnerable. If so, do you plan on creating a patch or have a plan to patch?
If you could please respond asap, I would greatly appreciate it as we have a deadline of 12/22 to confirm no vulnerabilities, prior to shutting off services to the application.