Is CTP affected by log4j cve-2021-44228?

[kapsner]

Is the CTP-tool affected by this vulnerability?

[johnperry]

I believe none of the MIRC tools (including CTP, TFS, DicomAnonymizerTool, FileSender, and DicomEditor) are affected by this vulnerability.

The reason is that the vulnerability in question is restricted to log4j version 2 and the MIRC code uses log4j version 1. In addition, to trigger the vulnerability, you have to log a string supplied by an attacker in an HTTP request, and none of the MIRC tools ever do that.

Some people have claimed that version 1 has other vulnerabilities. Whatever they are, I doubt that MIRC's use of log4j could allow an attacker to exploit them since it doesn't log HTTP requests. Nevertheless, I'm working on testing with log4j version 2.15.1, which is the latest version released to fix the vulnerability. This will require anyone running Java 7 to upgrade to at least Java 8.

JP

From: kapsner Sent: Tuesday, December 14, 2021 2:10 AM To: johnperry/CTP Cc: Subscribed Subject: [johnperry/CTP] Affected by log4j cve-2021-44228? (Issue #28)

Is the CTP-tool affected by this vulnerability?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[kapsner]

Thanks a lot for your quick reply!