From af7b3da226fb82e3275cff9aa76904a2427fc3c7 Mon Sep 17 00:00:00 2001
From: madhurya-btc <madhuryan@boston-technology.com>
Date: Wed, 15 Dec 2021 12:53:28 +0530
Subject: [PATCH 1/5] log4j vulnerability issue fix

---
 .../consent-mgmt-module/consent-mgmt/pom.xml  | 25 +++++++++++++++----
 .../enroll-mgmt-module/enroll-mgmt/pom.xml    | 24 +++++++++++++++---
 .../user-mgmt-module/user-mgmt/pom.xml        | 20 ++++++++++++---
 study-builder/fdahpStudyDesigner/pom.xml      | 19 --------------
 study-datastore/pom.xml                       | 19 --------------
 5 files changed, 56 insertions(+), 51 deletions(-)

diff --git a/participant-datastore/consent-mgmt-module/consent-mgmt/pom.xml b/participant-datastore/consent-mgmt-module/consent-mgmt/pom.xml
index d3e861df6e..006d310ee9 100644
--- a/participant-datastore/consent-mgmt-module/consent-mgmt/pom.xml
+++ b/participant-datastore/consent-mgmt-module/consent-mgmt/pom.xml
@@ -66,11 +66,26 @@
         </exclusion>
       </exclusions>
     </dependency>
-    <dependency>
-      <groupId>org.springframework.boot</groupId>
-      <artifactId>spring-boot-starter-log4j2</artifactId>
-    </dependency>
-    <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
+   <dependency>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-log4j2</artifactId>
+		<exclusions>
+			<exclusion>
+				<groupId>org.apache.logging.log4j</groupId>
+				<artifactId>log4j-core</artifactId>
+			</exclusion>
+		</exclusions>
+	</dependency>
+	<dependency>
+		<groupId>org.apache.logging.log4j</groupId>
+		<artifactId>log4j-core</artifactId>
+		<version>2.16.0</version>
+	</dependency>
+	<dependency>
+		<groupId>org.apache.logging.log4j</groupId>
+		<artifactId>log4j-api</artifactId>
+		<version>2.16.0</version>
+	</dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-devtools</artifactId>
diff --git a/participant-datastore/enroll-mgmt-module/enroll-mgmt/pom.xml b/participant-datastore/enroll-mgmt-module/enroll-mgmt/pom.xml
index 0314d586c6..027c2a059e 100644
--- a/participant-datastore/enroll-mgmt-module/enroll-mgmt/pom.xml
+++ b/participant-datastore/enroll-mgmt-module/enroll-mgmt/pom.xml
@@ -42,10 +42,26 @@
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-data-jpa</artifactId>
     </dependency>
-     <dependency>
-    <groupId>org.springframework.boot</groupId>
-    <artifactId>spring-boot-starter-log4j2</artifactId>
-   </dependency> 
+	<dependency>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-log4j2</artifactId>
+		<exclusions>
+			<exclusion>
+				<groupId>org.apache.logging.log4j</groupId>
+				<artifactId>log4j-core</artifactId>
+			</exclusion>
+		</exclusions>
+	</dependency>
+	<dependency>
+		<groupId>org.apache.logging.log4j</groupId>
+		<artifactId>log4j-core</artifactId>
+		<version>2.16.0</version>
+	</dependency>
+	<dependency>
+		<groupId>org.apache.logging.log4j</groupId>
+		<artifactId>log4j-api</artifactId>
+		<version>2.16.0</version>
+	</dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-jdbc</artifactId>
diff --git a/participant-datastore/user-mgmt-module/user-mgmt/pom.xml b/participant-datastore/user-mgmt-module/user-mgmt/pom.xml
index fde2d9fed6..602bb0eca8 100644
--- a/participant-datastore/user-mgmt-module/user-mgmt/pom.xml
+++ b/participant-datastore/user-mgmt-module/user-mgmt/pom.xml
@@ -67,7 +67,23 @@
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-log4j2</artifactId>
+      <exclusions>
+			<exclusion>
+				<groupId>org.apache.logging.log4j</groupId>
+				<artifactId>log4j-core</artifactId>
+			</exclusion>
+	  </exclusions>
     </dependency>
+	<dependency>
+		<groupId>org.apache.logging.log4j</groupId>
+		<artifactId>log4j-core</artifactId>
+		<version>2.16.0</version>
+	</dependency>
+	<dependency>
+		<groupId>org.apache.logging.log4j</groupId>
+		<artifactId>log4j-api</artifactId>
+		<version>2.16.0</version>
+	</dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-devtools</artifactId>
@@ -84,10 +100,6 @@
       <artifactId>mysql-connector-java</artifactId>
       <scope>runtime</scope>
     </dependency>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-ext</artifactId>
-    </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-tomcat</artifactId>
diff --git a/study-builder/fdahpStudyDesigner/pom.xml b/study-builder/fdahpStudyDesigner/pom.xml
index 5f454c559a..01580d0a47 100644
--- a/study-builder/fdahpStudyDesigner/pom.xml
+++ b/study-builder/fdahpStudyDesigner/pom.xml
@@ -197,25 +197,6 @@
       <version>1.5.3</version>
       <optional>true</optional>
     </dependency>
-    <dependency>
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
-      <version>1.2.17</version>
-      <exclusions>
-        <exclusion>
-          <groupId>com.sun.jmx</groupId>
-          <artifactId>jmxri</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>com.sun.jdmk</groupId>
-          <artifactId>jmxtools</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>javax.jms</groupId>
-          <artifactId>jms</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
     <dependency>
       <groupId>javax.servlet</groupId>
       <artifactId>jstl</artifactId>
diff --git a/study-datastore/pom.xml b/study-datastore/pom.xml
index 544562ef5e..743910d344 100644
--- a/study-datastore/pom.xml
+++ b/study-datastore/pom.xml
@@ -207,25 +207,6 @@
       <type>jar</type>
       <scope>compile</scope>
     </dependency>
-    <dependency>
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
-      <version>1.2.17</version>
-      <exclusions>
-        <exclusion>
-          <groupId>com.sun.jmx</groupId>
-          <artifactId>jmxri</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>com.sun.jdmk</groupId>
-          <artifactId>jmxtools</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>javax.jms</groupId>
-          <artifactId>jms</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
     <dependency>
       <groupId>org.quartz-scheduler</groupId>
       <artifactId>quartz</artifactId>

From 11e205dda64960761e74f805f8aeefa08218dd38 Mon Sep 17 00:00:00 2001
From: madhurya-btc <madhuryan@boston-technology.com>
Date: Wed, 15 Dec 2021 12:56:37 +0530
Subject: [PATCH 2/5] formatting pom.xml

---
 .../consent-mgmt-module/consent-mgmt/pom.xml         |  2 +-
 .../user-mgmt-module/user-mgmt/pom.xml               | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/participant-datastore/consent-mgmt-module/consent-mgmt/pom.xml b/participant-datastore/consent-mgmt-module/consent-mgmt/pom.xml
index 006d310ee9..4de833a604 100644
--- a/participant-datastore/consent-mgmt-module/consent-mgmt/pom.xml
+++ b/participant-datastore/consent-mgmt-module/consent-mgmt/pom.xml
@@ -66,7 +66,7 @@
         </exclusion>
       </exclusions>
     </dependency>
-   <dependency>
+	<dependency>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-log4j2</artifactId>
 		<exclusions>
diff --git a/participant-datastore/user-mgmt-module/user-mgmt/pom.xml b/participant-datastore/user-mgmt-module/user-mgmt/pom.xml
index 602bb0eca8..f5247367b5 100644
--- a/participant-datastore/user-mgmt-module/user-mgmt/pom.xml
+++ b/participant-datastore/user-mgmt-module/user-mgmt/pom.xml
@@ -64,16 +64,16 @@
         </exclusion>
       </exclusions>
     </dependency>
-    <dependency>
-      <groupId>org.springframework.boot</groupId>
-      <artifactId>spring-boot-starter-log4j2</artifactId>
-      <exclusions>
+	<dependency>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-log4j2</artifactId>
+		<exclusions>
 			<exclusion>
 				<groupId>org.apache.logging.log4j</groupId>
 				<artifactId>log4j-core</artifactId>
 			</exclusion>
-	  </exclusions>
-    </dependency>
+		</exclusions>
+	</dependency>
 	<dependency>
 		<groupId>org.apache.logging.log4j</groupId>
 		<artifactId>log4j-core</artifactId>

From f94875aa256575792861890df6e432ea7a640445 Mon Sep 17 00:00:00 2001
From: madhurya-btc <madhuryan@boston-technology.com>
Date: Wed, 15 Dec 2021 18:17:40 +0530
Subject: [PATCH 3/5] release version

---
 .../src/main/resources/application.properties                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/study-builder/fdahpStudyDesigner/src/main/resources/application.properties b/study-builder/fdahpStudyDesigner/src/main/resources/application.properties
index 93fc130185..fed6e60afd 100644
--- a/study-builder/fdahpStudyDesigner/src/main/resources/application.properties
+++ b/study-builder/fdahpStudyDesigner/src/main/resources/application.properties
@@ -58,7 +58,7 @@ security.oauth2.client.client-secret=${SECRET_KEY}
 
 # application version
 applicationVersion=1.0
-release.version=2.0.8
+release.version=2.0.9
 
 security.oauth2.token_endpoint=${SCIM_AUTH_URL}/oauth2/token
 security.oauth2.client.redirect-uri=${SCIM_AUTH_URL}/callback

From 9ea4eeda9d6ace331763e0d8d324bcbd3fc6b79f Mon Sep 17 00:00:00 2001
From: madhurya-btc <madhuryan@boston-technology.com>
Date: Wed, 15 Dec 2021 18:24:13 +0530
Subject: [PATCH 4/5] Update whats-new.md

---
 documentation/whats-new.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/documentation/whats-new.md b/documentation/whats-new.md
index 65f4dd59ec..3980afcd65 100644
--- a/documentation/whats-new.md
+++ b/documentation/whats-new.md
@@ -6,6 +6,9 @@
 -->
 
 > Subscribe to [mystudies-announce@googlegroups.com](https://groups.google.com/g/mystudies-announce/) to receive release notifications and announcements
+# Release 2.0.9
+* This release fixes the security vulnerability detected with Log4j recently.  More information on the vulnerability is here (https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046). 
+* Note: The platform was using a Log4j version which is not impacted by this vulnerability. However, as a safety measure, the platform is now updated with this release, to use the latest Log4j version 2.16.0 provided by Apache to address this vulnerability.
 
 # Release 2.0.8
 * Note: This release requires users to update to new versions of the mobile apps from the app stores.

From 25058df76066df252fc3503fb86419c2b3f02227 Mon Sep 17 00:00:00 2001
From: madhurya-btc <madhuryan@boston-technology.com>
Date: Wed, 15 Dec 2021 18:46:38 +0530
Subject: [PATCH 5/5] Update whats-new.md

---
 documentation/whats-new.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/documentation/whats-new.md b/documentation/whats-new.md
index 3980afcd65..2d384aace7 100644
--- a/documentation/whats-new.md
+++ b/documentation/whats-new.md
@@ -7,8 +7,8 @@
 
 > Subscribe to [mystudies-announce@googlegroups.com](https://groups.google.com/g/mystudies-announce/) to receive release notifications and announcements
 # Release 2.0.9
-* This release fixes the security vulnerability detected with Log4j recently.  More information on the vulnerability is here (https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046). 
-* Note: The platform was using a Log4j version which is not impacted by this vulnerability. However, as a safety measure, the platform is now updated with this release, to use the latest Log4j version 2.16.0 provided by Apache to address this vulnerability.
+* This release fixes the security vulnerability detected with Log4j recently. More information on the vulnerability is here (https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046). 
+* Note: The platform was using a log4j version and logging framework which is not impacted by this vulnerability. However, as a safety measure, the platform is updated with release v2.0.9, to use the latest Log4j version 2.16.0 that was provided by Apache to address this issue.
 
 # Release 2.0.8
 * Note: This release requires users to update to new versions of the mobile apps from the app stores.