lifesci-IT
commented
2 years ago Could somebody acknowledge this issue? - we are currently blocking all our users from access to this app until it is patched.
Closed kb529 closed 2 years ago
lifesci-IT
commented
2 years ago Could somebody acknowledge this issue? - we are currently blocking all our users from access to this app until it is patched.
ensignvorik
commented
2 years ago Ditto, appreciate this is a community app, have however had to tell Academics we can't keep this app on our systems.
kpepper
commented
2 years ago Issue is fixed in the latest v18.2.0 release, which is using log4j 2.17.2.
As you may already be aware, a log4j 2.x vulnerability was identified last week (https://nvd.nist.gov/vuln/detail/CVE-2021-44228). Using the scanning tool from https://github.com/mergebase/log4j-detector , it appears that Artemis v18.1 uses an impacted version of log4j.
log4j-detector output: artemis\act.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE :-( artemis\artemis.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE :-( artemis\bamview.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE :-( artemis\dnaplotter.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE :-(
If this is correct, are there any plans to update Artemis to use a patched version of log4j? Thank you.