log4j vulnerability?

I’m not sure if this is the right place for this – I don’t even use Jalview, I just take care of the computers around here, and I got a report from our IT Security group that one of our computers is running Jalview and may be running Log4J and we need to take care of it. Does anyone know if Jalview is susceptible to this recent Log4J vulnerability? And if so, is there an update available to correct? Looking at the Announcements/downloads section of this forum, it would appear that the latest release is 2.11.1.4 which was released 09-03-2021.

Hi Billy - good to have you here !

We have been checking Jalview’s code and services very carefully to make sure that it is not subject to the most recent log4j2 vulnerability (CVE-2021-44228). However, the Jalview application does not employ log4j2, and so should be considered safe in normal use.

There are some older log4j classes (log4j 1.x) used by some of the libraries that the Jalview application depends on. These may have minor security issues and if necessary we will release a security patch later this week. If you are interested, take a look at JAL-3933 on our bug tracker and hit the ‘Follow’ button on the right hand side for updates!