i2b2 Community Wiki
Space shortcuts
Space Tools
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

None of the versions of i2b2 are using the affected version of the Log4j 2.x vulnerability discovered at the end of 2021.

Recently some vulnerabilities have been discovered in Log4j 1.x, which is used by i2b2. More details can be found here: https://www.petefreitag.com/item/926.cfm 

We have verified that i2b2 does not use any of the Log4J code with security flaws, but we still recommend the following patch to remove all dangerous Log4J code.

Method 1: Replace WAR file (easy method)

  1. Download this patched WAR file: i2b2.war with patched Log 4j 1.2.15
  2. Copy it to your <wildfly>/standalone/deployments directory
  3. Restart Wildfly

Method 2: Patch WAR file

  1. Download the patched log4j 1.2.15.jar at https://github.com/i2b2/i2b2-core-server/raw/54e004abb7768054d7e00f6f121048d975a96e80/edu.harvard.i2b2.server-common/lib/axis2.war/WEB-INF/lib/log4j-1.2.15.jar
  2. In your <wildfly>/standalone/deployments directory, unzip i2b2.war
  3. In the extracted files, replace WEB-INF/lib/log4j-1.2.15 with the patched version
  4. Zip the extracted contents into i2b2.war, and replace the old version
  5. Restart Wildfly

Long Term Plan

We are working to upgrade i2b2 to use the latest log4j version 2, which we plan to include in 1.7.13 later this spring.

  • No labels