You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On 2021-12-10, news broke that the popular Log4J library is vulnerable to a very powerful Remote Code Executation bug that leverages the JDNI framework:
EHRbase has a (transititive) dependency on Log4j2 through the Spring Boot Framework and does not explicitly specify a version of Log4j2 to use. At the time of writing, the docker image on Dockerhub pulls in the latest vulnerable version, 2.14.1 (verified by extracting the ehrbase.jar from the container image):
At the time of writing, an updated version of Log4J has been released that will be delivered to the Spring Boot project in the upcoming release(-s). The upgrade has been committed about 40 minutes ago to the Spring Boot project: spring-projects/spring-boot@95a8e5e
Mitigation
EHRbase should specify an explicit version for Log4j, namely 2.15.0 in its root pom (overriding the version delivered by Spring Boot), and/or should upgrade to the upcoming bugfix-releases of Spring Boot as they become available.
The text was updated successfully, but these errors were encountered:
Vulnerability
On 2021-12-10, news broke that the popular Log4J library is vulnerable to a very powerful Remote Code Executation bug that leverages the JDNI framework:
EHRbase status
EHRbase has a (transititive) dependency on Log4j2 through the Spring Boot Framework and does not explicitly specify a version of Log4j2 to use. At the time of writing, the docker image on Dockerhub pulls in the latest vulnerable version, 2.14.1 (verified by extracting the
ehrbase.jar
from the container image):Upstream Fixes
At the time of writing, an updated version of Log4J has been released that will be delivered to the Spring Boot project in the upcoming release(-s). The upgrade has been committed about 40 minutes ago to the Spring Boot project: spring-projects/spring-boot@95a8e5e
Mitigation
EHRbase should specify an explicit version for Log4j, namely
2.15.0
in its root pom (overriding the version delivered by Spring Boot), and/or should upgrade to the upcoming bugfix-releases of Spring Boot as they become available.The text was updated successfully, but these errors were encountered: