vulnerability issue for gatk-package-4.2.5.0-local.jar
AnsweredREQUIRED for all errors and issues:
a) GATK version used: 4.2.5
b) Exact command used:
c) Entire program log:
we are using gatk4 for one tools in our application, Our security scanner found lot of vulnerability issue for gatk-package-4.2.5.0-local.jar. Cpuld you please let us know if you will fix all issue. Here is ONE log after scaning:
{ "version": "4.1.42.Final", "name": "io.netty_netty-all", "path": "/opt/conda/share/gatk4-4.2.5.0-0/gatk-package-4.2.5.0-local.jar", "cveCount": 12, "license": "", "layerTime": 1646724034 },
{ "text": "", "id": 47, "severity": "critical", "cvss": 9.1, "status": "fixed in 4.1.44", "cve": "CVE-2019-20444", "cause": "", "description": "HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an \\\"invalid fold.\\\"", "title": "", "vecStr": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "exploit": "", "riskFactors": { "Attack complexity: low": { }, "Attack vector: network": { }, "Critical severity": { }, "Has fix": { } }, "link": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20444", "type": "image", "packageName": "io.netty_netty-all", "packageVersion": "4.1.42.Final", "layerTime": 1646724034, "templates": null, "twistlock": false, "cri": false, "published": 1580332500, "fixDate": 1580332500, "applicableRules": [ "<4.1.44" ], "discovered": "2022-03-08T23:35:21.697Z" },
-
Hi John Yu,
There are a number of known security issues in the current GATK dependencies. We have already fixed the most serious issue in GATK 4.2.4.0, which was the log4j vulnerability. You can read more about that fix in our blog post here: https://gatk.broadinstitute.org/hc/en-us/articles/4412955012379-Important-GATK-version-update-required-to-address-Log4j-security-vulnerability.
There are still a number of critical vulnerabilities in other libraries that GATK uses. We would like to upgrade these libraries and in our work this quarter, we are making an attempt to upgrade as many vulnerable libraries as possible. We are not sure if we will be able to completely eliminate all vulnerable library versions because sometimes we have to keep older versions for compatibility purposes.
Please let me know if you have any further questions about this issue.
Best,
Genevieve
-
v4.2.50 is still using log4j v1.2.17. Any plans to update to log4j 2.x.x?
# grype gatk-package-4.2.5.0-local.jar | grep -i log4j:
log4j 1.2.17 CVE-2019-17571 Critical
log4j 1.2.17 CVE-2022-23307 Critical
log4j 1.2.17 GHSA-w9p3-5cr8-m3jj High
log4j 1.2.17 CVE-2022-23305 Critical
log4j 1.2.17 GHSA-fp5r-v3w9-4333 High
log4j 1.2.17 GHSA-65fg-84f6-3jq3 Critical
log4j 1.2.17 CVE-2022-23302 High
log4j 1.2.17 GHSA-2qrg-x229-3v8q Critical -
Chris Stone yes, we are working on upgrading log4j to fix more of these critical issues.
-
Chris Stone I wanted to follow up with some more specifics regarding your question.
GATK uses log4j v2.17.1 and not version 1. We are currently upgraded to the most current log4j version to patch the Log4j 2 shell vulnerability. The reason why you see Log4j 1 in our repo is because of dependencies of Spark. These issues you pointed out in your comment are longstanding issues and not the highly critical Log4j shell vulnerability, which we have patched.
Please let me know if you have any further questions.
Please sign in to leave a comment.
4 comments