2021-SV4 log4j in loci_tools.jar

affects all versions of the loci_tools.jar library

back to Advisories

Synopsis

log4j library packaged in deprecated loci_tools is vulnerable to remote execution.

Background

The deprecated loci_tools jar contains an embedded version of the logging library log4j. A major vulnerability in log4j has been found: "Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled."

The original log4j vulnerability is identified as CVE-2021-44228

Affected Packages

All versions of the loci_tools jar.

Impact

High severity.

Resolution

All users should move from the loci_tools jar to the bioformats_package jar which uses the logback library rather than log4j.


back to top