Security advisory: Update to WebAnnno 3.6.8 or INCEpTION 21.3
8 views
Skip to first unread message
Richard Eckart de Castilho
Dec 11, 2021, 5:41:57 PM12/11/21
to webanno-user
Dear WebAnno users,
a critical security issue was found in the popular LOG4J library which WebAnno
also uses and which could under certain circumstances be use to remotely execute
commands on the machine running WebAnno.
https://www.lunasec.io/docs/blog/log4j-zero-day/
Although WebAnno does not make use of the JNDI technology that is mentioned in
the blog article, it is still advised that you upgrade to the latest WebAnno 3.6.8
which includes an updated LOG4J version that fixes the security issue.
If you are unable to update immediately WebAnno, it is recommended to start it
with the option `-Dlog4j2.formatMsgNoLookups=true` [1] when starting it.
The security issue affects in particular older Java versions, so please also
ensure that you run the latest update of your Java version. And of course,
please keep your system up-to-date with your usual operating system updates
and remember to make backups of your data.
WebAnno 3.6.8 is available from our homepage as well as from DockerHub.
https://webanno.github.io/webanno/
WebAnno 3 runs on Java versions from 8 up to 15. It is not compatible with Java 16
or higher.
Thus it is a good time to look forward and consider upgrading to a new annotation tool:
INCEpTION 21.3 - https://inception-project.github.io
INCEpTION brings tons of new feature and enhancements including a completely new
annotation recommender system, search, knowledge-base support and a vastly improved
user experience.
And best of all: in most cases, you can export your projects from WebAnno, import
them into INCEpTION and continue working.
Best,
-- Richard
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-44228
P.S.: WebAnno comes without any kind of warranty and the contributors assume no
liabilities in case of damages. For more details, please refer to the license:
https://raw.githubusercontent.com/webanno/webanno/master/LICENSE.txt
a critical security issue was found in the popular LOG4J library which WebAnno
also uses and which could under certain circumstances be use to remotely execute
commands on the machine running WebAnno.
https://www.lunasec.io/docs/blog/log4j-zero-day/
Although WebAnno does not make use of the JNDI technology that is mentioned in
the blog article, it is still advised that you upgrade to the latest WebAnno 3.6.8
which includes an updated LOG4J version that fixes the security issue.
If you are unable to update immediately WebAnno, it is recommended to start it
with the option `-Dlog4j2.formatMsgNoLookups=true` [1] when starting it.
The security issue affects in particular older Java versions, so please also
ensure that you run the latest update of your Java version. And of course,
please keep your system up-to-date with your usual operating system updates
and remember to make backups of your data.
WebAnno 3.6.8 is available from our homepage as well as from DockerHub.
https://webanno.github.io/webanno/
WebAnno 3 runs on Java versions from 8 up to 15. It is not compatible with Java 16
or higher.
Thus it is a good time to look forward and consider upgrading to a new annotation tool:
INCEpTION 21.3 - https://inception-project.github.io
INCEpTION brings tons of new feature and enhancements including a completely new
annotation recommender system, search, knowledge-base support and a vastly improved
user experience.
And best of all: in most cases, you can export your projects from WebAnno, import
them into INCEpTION and continue working.
Best,
-- Richard
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-44228
P.S.: WebAnno comes without any kind of warranty and the contributors assume no
liabilities in case of damages. For more details, please refer to the license:
https://raw.githubusercontent.com/webanno/webanno/master/LICENSE.txt
Reply all
Reply to author
Forward
0 new messages