Hi,
Our IT department has identified some vulnerability issues in one of the libraries used by VERDI:
VERDI_1.5.0/plugins/core/lib/log4j-core-2.0-rc1.jar
This link reports the issue:
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
The log4j components need to be a version 2.15.0 or greater to address this issue. Version 2.15.0 was released on 12/6/2021, so it looks like VERDI 2.1 still have this issue.
Would it be possible to fix the issue and update VERDI?
Thanks,
Marc
Thank you. We are aware of this vulnerability and are planning to release a patched version of VERDI 2.1 with log4j 2.16 or greater.
VERDI has been updated to use lob4j 2.16 to eliminate the security vulnerability.
Please see the release announcement and remove older versions of VERDI and replace with VERDI v2.1.1
Important Vulnerability Update for VERDI 2.1.1 (December 2021)
VERDI 2.1.1 release to patch and upgrade VERDI with log4j 2.0.16 to remove message lookup capability to eliminate the log4shell security vulnerability: Log4j – Apache Log4j Security Vulnerabilities
REPLACE ALL PRIOR versions of VERDI with this patched release version.
Additional bug fixes with this patched version.
Fixed Polar Stereographic Projection Issue for Tile Plot Display of WRF Files.
https://www.cmascenter.org/verdi/
…
Thank you,
Liz
A second VERDI update has been made to use log4j 2.17.
REPLACE ALL PRIOR versions of VERDI with this patched release version VERDI 2.1.2
ANOTHER Important Vulnerability Update for VERDI 2.1.2 (December 22, 2021)
REPLACE ALL PRIOR versions of VERDI with this patched release version VERDI 2.1.2
Updated VERDI to log4j 2.17 to fix security vulnerability: Log4j – Apache Log4j 2
Fixed linux build to use openjdk 16.0.2 2021-07-20.
Re-enabled the splash screen with automatic version numbering.
The User Manual for VERDI has not been updated. It will be updated for the next Major Release.
https://www.cmascenter.org/verdi/
…