Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cpt4.jar Log4j vulnerability #268

Open
alex-golts opened this issue Dec 14, 2021 · 3 comments
Open

cpt4.jar Log4j vulnerability #268

alex-golts opened this issue Dec 14, 2021 · 3 comments
Assignees
@konstjar

Comments

@alex-golts
Copy link

I found that the cpt4.jar file which is currently obtained from athena.ohdsi.org contains the 2.14 version of the Apache Log4j library which suffers from the "famous" recently found critical vulnerability.
It would be much appreciated if the Log4j dependency could be updated to the latest version in the downloadable .jar file that is found at the Athena website. Thank you!
@konstjar
Copy link
Collaborator

Thanks for reporting. It will be addressed ASAP

@mik-ohdsi mik-ohdsi mentioned this issue May 6, 2022
Closed
@ahammais
Copy link

ahammais commented Sep 9, 2022

May I ask if this issue has been fixed? If we download a new vocabulary set from Athena now, which log4j version will we get in the cpt4.jar? Our data security personnel recommend we don't use anything below 2.17.1.

@mik-ohdsi
Copy link

Dear @konstjar - I think with the latest fixes in the CPT4.jar, the vulnerability should be fixed, too, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@konstjar konstjar

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alex-golts @konstjar @ahammais @mik-ohdsi @dmitrys-odysseus