Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is a vulnerable picard still used ? log4j vulnerability. #734

Closed
colindaven opened this issue Dec 14, 2021 · 7 comments
Closed

Is a vulnerable picard still used ? log4j vulnerability. #734

colindaven opened this issue Dec 14, 2021 · 7 comments
Labels
bug Something isn't working
Milestone

Comments

@colindaven
Copy link
Contributor

Dear devs,

using this software on an older, conda based installation of nf-core rna-seq, a vulnerable picard.jar was found.

https://github.com/mergebase/log4j-detector

Do you know when it will be possible to replace the used picard.jar with a patched version ?

There is already a patched release on

https://github.com/broadinstitute/picard/releases/tag/2.26.7

Thanks

@colindaven colindaven added the bug Something isn't working label Dec 14, 2021
@drpatelh drpatelh modified the milestones: 3.6, 3.5 Dec 14, 2021
@drpatelh
Copy link
Member

Great timing @colindaven as I am prepping a release! Thanks for reporting.

@colindaven
Copy link
Contributor Author

Looks like a version based on 2.16 might be a better option, with the lookups completely removed. Broad picard is on 2.15.

https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4

Might pay to wait a bit?

@heuermh
Copy link

heuermh commented Dec 14, 2021

Best to merge to 2.15.x-based releases as soon as possible and update to 2.16 when it is ready. Things take a while to make their way through bioconda/biocontainers etc.

@drpatelh
Copy link
Member

drpatelh commented Dec 15, 2021

Other tools in this pipeline possibly affected by this:

If you spot any more tools on dev not mentioned above please feel to add to the list.

@heuermh
Copy link

heuermh commented Dec 15, 2021

While greatly preferable to have an official statement from the BBMap and Qualimap developer teams, my analysis shows that BBMap BBMap_38.94.tar.gz has no dependency on any version of log4j and Qualimap qualimap-build-31-08-20.tar.gz, while having a dependency on a picard-1.70.jar, has only a dependency on a 1.2.x version of log4j and no dependency on a 2.x version of log4j.

@drpatelh
Copy link
Member

Thanks @heuermh. Ok I have bumped Picard to 2.26.7 in #740 because we know that has been affected for definite. I will leave this issue open for now so we can track any updates before the next release too.

@drpatelh
Copy link
Member

Picard was bumped to the latest currently available again (2.26.10) in 01de13e which hopefully should now resolve this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants