Apologies if I've missed this elsewhere, but could anyone tell me please if Cytoscape uses Log4j?
I have Cytoscape v3.9.0 on macOS Big Sur v11.6, with openjdk v11.0.7 installed. Just wondering if it's safe to open Cytoscape to use at the moment or if it needs a security update.
Cytoscape uses log4j, but the core only uses log4j 1.x. The sbml app does use log4j2, however. Be aware that the avenue for this particular exploit is that an attacker must format a message to send to the logger that requests the logger to load code from LDAP, DNS, or some other repository. The typical pattern from this exploit is through HTTP requests to a web server.
In the context of Cytoscape, this would mean fashioning a CyREST query that includes the log message in such a way as to get Cytoscape to pass that to log4j. This would be extremely difficult and quite specific to Cytoscape. So, as a direct answer, yes, there are components of Cytoscape that use log4j2 (the sbml app), but running Cytoscape on your desktop is very likely to be safe. To make sure it's safe, you can block traffic to the Cytoscape REST port from outside of your laptop.