Statement on the Security Vulnerabilities discovered in DCMTK
We have heard with much concern about the security weaknesses which have recently been discovered in the commonly-used open source DICOM toolkit “DCMTK”, and we have been asked whether we have similar problems in DicomObjects.
It is impossible to be certain that no weaknesses exist in any piece of software, but we can state the following:
- DicomObjects does not use code from DCMTK, or any other DICOM toolkits, and as such is not directly affected by the recently discovered vulnerabilities.
- DicomObjects has always been coded “defensively” and it is unlikely that any similar issues exist, especially in the .NET version, which is 100% managed code, without any “unsafe” unmanaged code.
- We do use externally written codecs for JPEG 2000 (COM version only) and for video support (.NET and COM versions). Details of all third party tools can be found here for COM and here for .NET. Whilst we are not aware of any vulnerabilities in these codecs, we will be watching industry developments closely to monitor whether any such problems are discovered.
- We are planning to do more formal testing of DicomObjects for vulnerabilities in the coming weeks.
See here for details of the DCMTK issue.