i2b2 Community Wiki
Space shortcuts
Space Tools
Skip to end of metadata
Go to start of metadata

None of the versions of i2b2 are using the affected version of the Log4j 2.x vulnerability discovered at the end of 2021.

Recently some vulnerabilities have been discovered in Log4j 1.x, which is used by i2b2. More details can be found here: https://www.petefreitag.com/item/926.cfm 

We have verified that i2b2 does not use any of the Log4J code with security flaws, but we still recommend the following patch to remove all dangerous Log4J code.

Method 1: Replace WAR file (easy method)

  1. Download this patched WAR file: i2b2.war with patched Log 4j 1.2.15
  2. Copy it to your <wildfly>/standalone/deployments directory
  3. Restart Wildfly

Method 2: Patch WAR file

  1. Download the patched log4j 1.2.15.jar at https://github.com/i2b2/i2b2-core-server/raw/54e004abb7768054d7e00f6f121048d975a96e80/edu.harvard.i2b2.server-common/lib/axis2.war/WEB-INF/lib/log4j-1.2.15.jar
  2. In your <wildfly>/standalone/deployments directory, unzip i2b2.war
  3. In the extracted files, replace WEB-INF/lib/log4j-1.2.15 with the patched version
  4. Zip the extracted contents into i2b2.war, and replace the old version
  5. Restart Wildfly

i2b2 1.7.13

i2b2 1.7.13, to be released this spring, will be upgraded to the latest log4j version 2.

  • No labels