>From what I can tell (I just use the library) it doesn't depend on log4j itself. However, given that the library is typically included in other applications and that may well use a vulnerable version, your best bet is to check the actual jars / wars with a tool like at https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-determine-if-you-are-impacted-by-log4shell
If you've got the source code of the application, you should also be able to view all dependencies with `mvn dependency:tree` and see if impacted versions of log4j show up there. Best of luck. On Mon, 13 Dec 2021 at 14:46, Bryan K. Walton <bwalton.21...@courseleaf.com.invalid> wrote: > Hi, is Apache FOP susceptible to the Log4shell vulnerability that is > making the rounds right now? > > Thanks! > Bryan Walton > > --------------------------------------------------------------------- > To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org > For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org > > -- Matt Kynaston Lead Developer Tel: +441225851666 www.claritum.com Claritum Limited. Registered Office: 37 Great Pulteney Street, Bath, BA2 4DA Registered in England and Wales 3878694