search

obiba / mica2

Mica is a web portal for epidemiological study consortia.
http://www.obiba.org/pages/products/mica/
GNU General Public License v3.0
10 stars 15 forks source link

[4.6.3] affetct by CVE-2021-44228? #4269

Closed tuxmaster5000 closed 2 years ago

tuxmaster5000 commented 2 years ago

In the rpm package I found an old log4j version:

rpm -ql mica2|grep log
/etc/mica2/logback.xml
/usr/share/doc/mica2/changelog
/usr/share/mica2-4.6.3/webapp/WEB-INF/lib/jboss-logging-3.3.2.Final.jar
/usr/share/mica2-4.6.3/webapp/WEB-INF/lib/log4j-1.2.17.jar
/usr/share/mica2-4.6.3/webapp/WEB-INF/lib/log4j-over-slf4j-1.7.26.jar
/usr/share/mica2-4.6.3/webapp/WEB-INF/lib/logback-classic-1.2.3.jar
/usr/share/mica2-4.6.3/webapp/WEB-INF/lib/logback-core-1.2.3.jar
/usr/share/mica2-4.6.3/webapp/WEB-INF/lib/logstash-logback-encoder-6.6.jar
/usr/share/mica2-4.6.3/webapp/WEB-INF/lib/spring-boot-starter-logging-1.5.22.RELEASE.jar
/usr/share/mica2-4.6.3/webapp/app/admin/views/logs.html
/usr/share/mica2-4.6.3/webapp/app/views/login.html
/usr/share/mica2-4.6.3/webapp/assets/images/mica-logo.png

And only 2.15.0 are save.

ymarcon commented 2 years ago

Mica uses logback. These are third party libs dependencies, not being used, I will exclude them.

tuxmaster5000 commented 2 years ago

Thanks