On Mon, Dec 13, 2021 at 03:02:22PM +0000, Matt Kynaston wrote: > >From what I can tell (I just use the library) it doesn't depend on log4j > itself. However, given that the library is typically included in other > applications and that may well use a vulnerable version, your best bet is > to check the actual jars / wars with a tool like at > https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-determine-if-you-are-impacted-by-log4shell > > If you've got the source code of the application, you should also be able > to view all dependencies with `mvn dependency:tree` and see if impacted > versions of log4j show up there. > > Best of luck.
Thanks, Matt! -Bryan --------------------------------------------------------------------- To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org
