EHRbase vulnerable to CRITICAL Log4j RCE vulnerability

[jpwiedekopf]

Vulnerability

On 2021-12-10, news broke that the popular Log4J library is vulnerable to a very powerful Remote Code Executation bug that leverages the JDNI framework:

• CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
• Heise (German): https://www.heise.de/news/Kritische-Zero-Day-Luecke-in-log4j-gefaehrdet-zahlreiche-Server-und-Apps-6291653.html
• Disclosure blog post (English): https://www.lunasec.io/docs/blog/log4j-zero-day/

EHRbase status

EHRbase has a (transititive) dependency on Log4j2 through the Spring Boot Framework and does not explicitly specify a version of Log4j2 to use. At the time of writing, the docker image on Dockerhub pulls in the latest vulnerable version, 2.14.1 (verified by extracting the ehrbase.jar from the container image):

ehrbase :: ~/ehrbase-jar » find -name "*log*"
./BOOT-INF/lib/log4j-to-slf4j-2.14.1.jar
./BOOT-INF/lib/log4j-core-2.14.1.jar

Upstream Fixes

At the time of writing, an updated version of Log4J has been released that will be delivered to the Spring Boot project in the upcoming release(-s). The upgrade has been committed about 40 minutes ago to the Spring Boot project: spring-projects/spring-boot@95a8e5e

Mitigation

EHRbase should specify an explicit version for Log4j, namely 2.15.0 in its root pom (overriding the version delivered by Spring Boot), and/or should upgrade to the upcoming bugfix-releases of Spring Boot as they become available.

[maximni-vg]

The vulnerable Log4J dependency is updated to a newer, non-vulnerable version in release 0.18.0.