i2b2 1.7.13 log4j vulnerability
66 views
Skip to first unread message
Daryl B
Mar 26, 2024, 12:02:11 PMMar 26
to i2b2 Install Help
Our vulnerability scanner is flagging this version. It appears to not like the log4j-1.2.8.jar file located in the analysis-commons-launcher. I believe I read where all log4j would be upgraded to version 2.x for i2b2 version 1.7.13.
Any clarification and confirmation that the jar file is not vulnerable would be greatly appreciated.
Sincerely,
Daryl
Jeff Klann
Mar 26, 2024, 4:59:41 PMMar 26
to i2b2 Install Help
Yes, we did upgrade to log4j 2.x. I do see the 1.2.8 jar in the repository (in analysis-commons), but I don't see references to it in the server code. I'm checking with our team and will get back to you, but my guess is it is not used and would be safe to delete.
Thanks,
Jeff Klann
Daryl B
May 7, 2024, 2:40:12 PMMay 7
to i2b2 Install Help
Jeff,
Did you get a response from your team?
Sincerely,
Daryl
Jeff Klann
May 13, 2024, 11:23:36 AMMay 13
to i2b2 Install Help
Hi, sorry for the slow response. Yes, the old log4j library was unused and can be removed. It has been replaced by a newer version in this commit.
(The library is in the directory so CRC Plugins can do logging - however, most sites do not use CRC Plugins, and none are included with i2b2.)
Thanks,
Jeff
Reply all
Reply to author
Forward
0 new messages