Any Log4J vulnerabilities (Apache Java)

Hi, apologies if this is a daft question, but I need to confirm that there are no Log4J vulnerabilities associated with 3D Slicer please. I don’t use it personally, but it is used within our organisation and I am tasked with trying to find out for all our software if there are any Log4J vulnerabilities due to the use of Apache’s Java based Log4J code. I’m assuming it is not impacted as no mention on any of your sites/documentation, however I need confirmation, please could someone confirm if 3D slicer has any Log4J vulnerabilities.
Log4j – Apache Log4j 2

3D Slicer does not use Java, so this Log4J vulnerability would not be an issue as far as I know.

I did a quick file search of “log4j” in a Slicer build tree and came across the following in the DCMTK build. I’m not familiar enough to know what these are for.

  • log4judp.h, and log4judp.obj

Also, since 3D Slicer allows installing extensions through the “Extensions Manager” you would want to make sure any 3rd party extensions that you use in Slicer don’t also have any vulnerabilities.

I’ve had a look at this and it comes from log4cpp library, which DCMTK uses for logging. This library can send log messages in a log4j compatible format and supports similar features as log4j, but it is a completely independent implementation (does not even use the same programming language) and it is not affected by log4j vulnerabilities. See this discussion on the log4cpp issue tracker:

as log4cplus is modelled after log4j, is log4cplus also affected by this vulnerability?

No. log4cplus is C++ based library. It shares only name similary and concepts with log4j, not the implementation.

I’ve checked the build tree of the extensions index and can confirm that log4j is not used by any of the extensions that are distributed via the Slicer Extensions Manager.

Therefore, Slicer and its publicly available extensions are not impacted by log4j vulnerability. That said, neither Slicer core nor the libraries that Slicer uses are particularly hardened against potential security vulnerabilities. The application is expected to be used in a trusted environment - trusted users, data, network, etc.