Log4shell vulnerability


For those who are wondering whether the vulnerability issue CVE-2021-44228, known as Log4shell, affects a DataSHIELD setup based on OBiBa applications, the answer is no because logback has been used in place of log4j since 2013.

If there are still some log4j related libraries that appear in the distributed Rock R server package, these are coming from third party dependencies and are not being used. These dependencies have now been explicitly removed from the packaging process for clarity; latest release of Rock integrates this patch.

No system administration action is required (except the usual recommendation to always use the latest version).


Hi @yannick

Thanks very much for clarifying that DataSHIELD and the OBiBa stack are not vulnerable regarding this potential threat! :slight_smile:

Best wishes all,