We have an important update regarding the safety of running GATK. As you may have heard, a critical vulnerability (CVE-2021-44228) was recently discovered in Apache’s Log4j software library, which is widely used for logging program output in open source projects around the world, including GATK. The security issue affects all Log4j versions older than 2.15, meaning that all versions of GATK including the most recent at time of writing, GATK 18.104.22.168 (which contains Log4j 2.13.1), are compromised. [Edit: GATK 22.214.171.124 has been released and is a safe version to use.]
As of 14 December, Apache's recommendation is to upgrade any use of Log4j to version 2.16, which includes a fix that is believed to address the security issue (see Apache’s bulletin for more detail). Accordingly, we have updated the Log4j version in the development version of GATK. You can use this version by building GATK from source using the master branch on github. The nightly build in container form will be available tonight (Dec 15, 2021 around 8 pm EST).
We are planning to release a new stable version of GATK by the end of this week (Dec 17, 2021) so that everyone can run GATK safely. To be notified when the release is available on github, see the instructions here. [The new GATK version 126.96.36.199 was released Dec 15, 2021.]
For more information about this vulnerability: