Log4j Shell Vulnerability

[saradeelstra]

I’m sure you are well aware of the vulnerability with Log4j. We are needing to determine if White Rabbit is vulnerable. If so, do you plan on creating a patch or have a plan to patch?

If you could please respond asap, I would greatly appreciate it as we have a deadline of 12/22 to confirm no vulnerabilities, prior to shutting off services to the application.

[saradeelstra]

Also inquiring about Usagi software.

[MaximMoinat]

Thanks for raising this issue. We are tracking the situation and will apply a patch like already being worked on for the OHDSI Atlas/WebApi. We will incorporate this in the next release of WhiteRabbit/Usagi.

At this point, I cannot give you a timeline. As WhiteRabbit/Usagi is typically run locally (ie. not hosted as a webservice), this currently does not have a high priority. If you are uncertain whether this tool may provide a vulnerability, please shut them off until we have implemented the patch.

[MaximMoinat]

Upon further investigation we found that WhiteRabbit (and Usagi) do not use Log4j, but apache commons-logging and slf4j-simple for logging. These are not susceptible to the Log4j vulnerability.