This post contains important information related to the Log4j vulnerability that is impacting much of the internet. Terra has made it a top priority to ensure that all systems have this vulnerability patched, as we do any time a new vulnerability is discovered. While you don’t need to take additional action to stay protected using the majority of the Terra platform at this time, we wanted to make sure you were aware of the cases where your action may be required:
- If you are using a Dataproc cluster that was created prior to 12:26pm ET on December 15, 2021, you will need to recreate your cluster in order to ensure it’s protected against the Log4j vulnerability.
- If you are an author of any WDLs that utilize the GATK Docker, we recommend using the :latest version, or specifically version 188.8.131.52 (or higher). You can read more GATK's response to the Log4j vulnerability here.
- If you’ve cloned a featured workspace, you may want to make sure that the GATK workflows are using the :latest or :184.108.40.206 version of the GATK docker.
- We highly recommend confirming that any Docker you use, whether it be for workflows or cloud environments, is updated to protect against this vulnerability. All default application configurations for cloud environments offered in the Terra UI have been updated to protect against this vulnerability.
Workflow VMs in Terra are fairly isolated and have protections in place to protect against exfiltration. If you must use a historical version of GATK, or any other java-based tool, to protect the integrity of your research, we believe the associated risk is relatively low. However, if you have the means to update to the known-protected versions, we highly recommend doing so.
Read more about Terra's security response to Log4j vulnerability on the Terra blog.
Security is of the utmost importance to the Terra platform. If you’re interested in learning more about our security posture, you can read about it here.
Please contact email@example.com with any questions - we are happy to help!