Actually, I would like to generalize @Javier 's query about log4j – in addition to Atlas, are there any other OHDSI tools that also use this infrastructure. And for all tools who are using log4j, what needs to happen to fix this vulnerability in new build?
Hi, i found the following which also describes the (smaller) potential in Version 1 of log4j.
“As log4j 1.x does NOT offer a JNDI look up mechanism at the message level, it does NOT suffer from CVE-2021-44228. However, log4j 1.x comes with JMSAppender which will perform a JNDI lookup if enabled in log4j’s configuration file, i.e. log4j.properties or log4j.xml. Thus, an attacker who already has write access to an application’s log4j configuration file can trigger an RCE attack whenever log4j 1.x reads a corrupt/malicious configuration file.” [1]
I wanted to provide some additional information on Log4Shell and the OHDSI software. As mentioned by @Konstantin_Yaroshove Log4j v2 is not used by the software stack inclusive of Atlas/WebAPI/Hades so the good news is that the Log4Shell vulnerability does not impact us. There are known issues with Log4j v1 as noted by @Mirko but these are less severe when compared to the Log4Shell vulnerability.
We are currently working on a patch for WebAPI to allow us to upgrade to Log4j v2 that allows us to move past all known vulnerabilities. Updating any component, such as Log4j, to a new major version (in this case v1 → v2) requires careful testing to ensure we preserve backwards compatibility and to not introduce new errors. When this patch is ready, we’ll communicate it out to the OHDSI community.
It is also important to note that popular open-source client SQL Workbench/J also uses log4j package, and as of now did not receive any updates recently, so it is very much possible that it has the same vulnerability. I would recommend to switch to DBeaver for now: it’s another great open-source tool that does not use the affected library.
For log4j, we’d like to make sure we’re using the latest version so we by-pass all known CVEs. That said, it looks like work around log4j v2 is still on-going. Last week the guidance was to patch log4j to v2.15.0 and then this week another vulnerability was identified resulting in a v2.16.0. It would seem prudent to give it some time to wait for stable, secure release of log4j v2 since the stack is not vulnerable to these zero-day attacks.
I’ve asked Thomas Kellerer, who is the developer of Workbench/J, about this problem by email, and he answered that by default Workbench/J does not use Log4J. Good news for those who love old-school things and/or minimalistic Windows 98 style
is it really ATLAS? Same drivers are being used by all OHDSI tools.
Anyhow, you definitely bring up a very good point - the shared common, mostly 3rd party, components that used across the whole stack and need to be maintained and synchronized
As I see there is some update done for log4j in git hub. (1970 pull request). is it affective already. we are still using old version. if we need to update, do we need to clone the new git hub repo for log4j update?
@anthonysena Watching yesterdays WG meeting, I understood that Atlas/WebAPI release v2.11 will be discussed further in March. In the meantime, from looking at recent WebAPI PR it seems that the the security fixes have been merged.
Is there already a plan to release Atlas/WebAPI with these security fixes (i.e. v2.10.2)?