Closed kb529 closed 2 years ago
Could somebody acknowledge this issue? - we are currently blocking all our users from access to this app until it is patched.
Ditto, appreciate this is a community app, have however had to tell Academics we can't keep this app on our systems.
Issue is fixed in the latest v18.2.0 release, which is using log4j 2.17.2.
As you may already be aware, a log4j 2.x vulnerability was identified last week (https://nvd.nist.gov/vuln/detail/CVE-2021-44228). Using the scanning tool from https://github.com/mergebase/log4j-detector , it appears that Artemis v18.1 uses an impacted version of log4j.
log4j-detector output: artemis\act.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE :-( artemis\artemis.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE :-( artemis\bamview.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE :-( artemis\dnaplotter.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE :-(
If this is correct, are there any plans to update Artemis to use a patched version of log4j? Thank you.