Genome Analysis Toolkit

Variant Discovery in High-Throughput Sequencing Data

GATK process banner

Need Help?

Search our documentation

Community Forum

Hi, How can we help?

Developed in the Data Sciences Platform at the Broad Institute, the toolkit offers a wide variety of tools with a primary focus on variant discovery and genotyping. Its powerful processing engine and high-performance computing features make it capable of taking on projects of any size. Learn more

vulnerability issue for gatk-package-4.2.5.0-local.jar

Answered
0

4 comments

  • Avatar
    Genevieve Brandt (she/her)

    Hi John Yu,

    There are a number of known security issues in the current GATK dependencies. We have already fixed the most serious issue in GATK 4.2.4.0, which was the log4j vulnerability. You can read more about that fix in our blog post here: https://gatk.broadinstitute.org/hc/en-us/articles/4412955012379-Important-GATK-version-update-required-to-address-Log4j-security-vulnerability. 

    There are still a number of critical vulnerabilities in other libraries that GATK uses. We would like to upgrade these libraries and in our work this quarter, we are making an attempt to upgrade as many vulnerable libraries as possible. We are not sure if we will be able to completely eliminate all vulnerable library versions because sometimes we have to keep older versions for compatibility purposes.

    Please let me know if you have any further questions about this issue. 

    Best,

    Genevieve

    0
    Comment actions Permalink
  • Avatar
    Chris Stone

    v4.2.50 is still using log4j v1.2.17.   Any plans to update to log4j 2.x.x?  

    # grype gatk-package-4.2.5.0-local.jar | grep -i log4j:

    log4j  1.2.17  CVE-2019-17571       Critical  
    log4j  1.2.17  CVE-2022-23307       Critical  
    log4j  1.2.17  GHSA-w9p3-5cr8-m3jj  High      
    log4j  1.2.17  CVE-2022-23305       Critical  
    log4j  1.2.17  GHSA-fp5r-v3w9-4333  High      
    log4j  1.2.17  GHSA-65fg-84f6-3jq3  Critical  
    log4j  1.2.17  CVE-2022-23302       High      
    log4j  1.2.17  GHSA-2qrg-x229-3v8q  Critical  

    0
    Comment actions Permalink
  • Avatar
    Genevieve Brandt (she/her)

    Chris Stone yes, we are working on upgrading log4j to fix more of these critical issues.

    0
    Comment actions Permalink
  • Avatar
    Genevieve Brandt (she/her)

    Chris Stone I wanted to follow up with some more specifics regarding your question. 

    GATK uses log4j v2.17.1 and not version 1. We are currently upgraded to the most current log4j version to patch the Log4j 2 shell vulnerability. The reason why you see Log4j 1 in our repo is because of dependencies of Spark. These issues you pointed out in your comment are longstanding issues and not the highly critical Log4j shell vulnerability, which we have patched.

    Please let me know if you have any further questions.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Powered by Zendesk