Utilities: Replace log4j-1.2.17 by logback-classic-1.2.9 #1050
Comments
|
Please update to |
|
Same problem, It would be great if log4j is updated. |
|
As CVE-2021-44228 has Critical security issue and affects log4j >= 2.0.0, < 2.15.0, it is better to use 2.15.0 instead of 2.14.1. |
|
Any plan for this update...? |
|
Hi It seems like log4j 1.x is vulnerable to CVE-2021-44228.
For detailed context, see apache/logging-log4j2#608 (comment) Is dcm4che exploitable? or just vulnerable only? Thanks. |
|
Sorry about this @gunterze, I know you're probably very busy, but will this be addressed soon? |
|
The dcm4che toolkit uses the sl4j facade and log4j 1.2.17 by default. log4j 1.x is not affected by CVE-2021-44228, see the analysis of the designer of log4j and sl4j. Note that the default logger configuration in dcm4che does not contain JMSAppender, so is not affected by the vulnerability CVE-2021-4104. If you integrate dcm4che in third-party software then you have to check what is the logger (as it can be modified) and its configuration. |
|
Particularly, the library does not use any default, only the launcher scripts for the utilities currently includes |
|
Yes it seems the best option to move to logback 1.2.9 |
gunterze
changed the title
|
I am using dcm4che-net-2.0.29.jar that uses log4j. What is the replacement? I tried the newer versions of dcm4che-net, but it seems still uses log4j. |
|
I do not longer maintain dcm4che-2.x. |
|
We have switched to logback-classic, but in runtime the application fails on dcm4che.data that requires log4j. |
|
Can someone tells me the pom or maven link to download dcm4che 5 and dependency libraries? I am using gradle, it doesn't find the place to download |
|
I am stuck here, does anyone have a solution? |
The version of log4j that is used is labeled as end of life.
It is also flagged during our vulnerability scans.
Suggest to update to the latest release of log4j v2.14.1
The text was updated successfully, but these errors were encountered: