log4j library security issue

Aditi Gulati

unread,

Dec 16, 2021, 10:28:56 AM12/16/21

to cBioPortal for Cancer Genomics Discussion Group

Hello,

As you may be aware that there is a high security risk with log4j logging library for those using library version < 2.15:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

We noticed in our local cBioportal installation the following:

~/cbioportal/portal/target/portal/WEB-INF/lib/apache-log4j-extras-1.1.jar
~/cbioportal/portal/target/portal/WEB-INF/lib/log4j-1.2.16.jar
~/cbioportal/portal/target/portal/WEB-INF/lib/slf4j-log4j12-1.7.30.jar

I wonder what are the possible solutions such as upgrading to log4j 2.15?

Many thanks

Pim van Nierop

unread,

Dec 16, 2021, 10:44:08 AM12/16/21

to Aditi Gulati, cBioPortal for Cancer Genomics Discussion Group

Hello Aditi,

Only version >=2 have the feared exploit in log4j-core. cBioPortal uses version 1.2 and is there for not affected by said exploit. However, from cBioPortal version 3.7.21 on cBioPortal will use the 2.16.0 version of log4j. Note that log4j 2.15.0 does not fully correct the problem, hence the update to 2.16.0.

All the best,
pim

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/b6a00baf-4f49-4427-b00d-2cc715f6924fn%40googlegroups.com.

--

Pim van Nierop

Software Engineer / cBioPortal specialist