General remarks:
- Updating to version 0.5.4 is highly recommended as it closes CVE-2021-44228.
- If an update is not possible, the following mitigation should be used: for the two services referred to as "app" (ghcr.io/highmed/fhir:0.5.3 and ghcr.io/highmed/bpe:0.5.3) in the
docker-compose.yml
files, an environment variable must be set to disable the incorrect function in Log4j2:
EXTRA_JVM_ARGS: -Dlog4j2.formatMsgNoLookups=true
- To Update, replace existing DSF docker containers with version 0.5.4. For more information on how to upgrade see the Wiki
Fixes include:
- Log4j2 allowed remote code execution for versions prior to
2.15.0
. See #297
Clients released in the binary assets:
- MPI client PDQ: dsf-mpi-client-pdq-0.5.4.zip
- openEHR client: dsf-openehr-client-impl-0.5.4.zip
Docker containers for this release can be access via the GitHub Docker registry - ghcr.io:
- bpe: ghcr.io/highmed/bpe:0.5.4
- bpe_proxy: ghcr.io/highmed/bpe_proxy:0.5.4
- fhir: ghcr.io/highmed/fhir:0.5.4
- fhir_proxy: ghcr.io/highmed/fhir_proxy:0.5.4
Issues closed: