Athena icon indicating copy to clipboard operation
Athena copied to clipboard

Published 20 hours ago verified publisher icon OHDSI

cpt4.jar Log4j vulnerability

Open alex-golts opened this issue 3 years ago • 3 comments

I found that the cpt4.jar file which is currently obtained from athena.ohdsi.org contains the 2.14 version of the Apache Log4j library which suffers from the "famous" recently found critical vulnerability. It would be much appreciated if the Log4j dependency could be updated to the latest version in the downloadable .jar file that is found at the Athena website. Thank you!

alex-golts avatar Dec 14 '21 20:12 alex-golts

Thanks for reporting. It will be addressed ASAP

konstjar avatar Dec 14 '21 20:12 konstjar

May I ask if this issue has been fixed? If we download a new vocabulary set from Athena now, which log4j version will we get in the cpt4.jar? Our data security personnel recommend we don't use anything below 2.17.1.

ahammais avatar Sep 09 '22 12:09 ahammais

Dear @konstjar - I think with the latest fixes in the CPT4.jar, the vulnerability should be fixed, too, right?

mik-ohdsi avatar Sep 15 '22 12:09 mik-ohdsi