>From what I can tell (I just use the library) it doesn't depend on log4j
itself. However, given that the library is typically included in other
applications and that may well use a vulnerable version, your best bet is
to check the actual jars / wars with a tool like at

If you've got the source code of the application, you should also be able
to view all dependencies with `mvn dependency:tree` and see if impacted
versions of log4j show up there.

Best of luck.

On Mon, 13 Dec 2021 at 14:46, Bryan K. Walton
<bwalton.21...@courseleaf.com.invalid> wrote:

> Hi, is Apache FOP susceptible to the Log4shell vulnerability that is
> making the rounds right now?
> Thanks!
> Bryan Walton
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
> For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org


Matt Kynaston
Lead Developer
Tel: +441225851666

Claritum Limited. Registered Office: 37 Great Pulteney Street, Bath, BA2
4DA  Registered in England and Wales 3878694

Reply via email to