A critical security flaw was discovered in Apache Log4j, a popular logging framework for Java. The confirmed affected versions of Log4j are 2.0-beta-9 through 2.14.1. For Details see (here). In LibreClinica the Log4j framework is used in version 1.2.14 by various components, like JXL. This version does not have the currently exploited vulnerability of version 2.x but a vulnerability that has been known for some time. The known flaw cannot be exploited due to the present configuration of log4j in LibreClinica: (1) The JMS Appender is not configured and (2) the javax.jms API is not in the CLASSPATH. Thus, LibreClinica in default configuration is not affected by a vulnerability that can be exploited from an outside attacker.
The community has already planned an update of Log4j or its replacement in the next release.
If you are unsure about your configuration or need further support, please make use of commercial support, which can be found at libreclinica.org/support.html.