CVE-2021-44228

[mi...@witsmd.com]

Can anyone elaborate on the vulnerability of the dcm4che 5.17 libs using log4j    ???

[Gunter Zeilinger]

dcm4che does not use log4j2. The library itself can use any logging framework which implements the slf4j api or for which a bridge to the slf4j api  is available. So you may also change the default of the dcm4che utilities using log4j 1.2.17 via slf4j-log4j12 1.7.30.

[drovn...@gmail.com]

Can someone elaborate on the older versions of dcm4che - like 2.x that use log4j. I have a set of field units that use 2.x. It's not clear what version of log4j is being used from what I can see - and there is different guidance out there depending on log4j versions. I realize 1.x log4j is EOL, I just need to make a plan here.

Dave

[Gunter Zeilinger]

Major cause of security risks still using dcm4chee-2.x are cause by outdated JBoss version, and not by using log4j 1.x for logging!

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

--
You received this message because you are subscribed to the Google Groups "dcm4che" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dcm4che+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/da6ca769-6274-4c62-bcea-0dacfc827dc0n%40googlegroups.com.