affects all versions of the loci_tools.jar library
log4j library packaged in deprecated loci_tools is vulnerable to remote execution.
The deprecated loci_tools jar contains an embedded version of the logging library log4j. A major vulnerability in log4j has been found: "Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled."
The original log4j vulnerability is identified as CVE-2021-44228
All versions of the loci_tools jar.
High severity.
All users should move from the loci_tools jar to the bioformats_package jar which uses the logback library rather than log4j.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.11.14