Hi all,
I'm using FOP from my application but in command mode (just launching
fop.bat or through powsershell). The swiss government IT asks me if my
application could be vulnerable. What must be my response?
My future in jail or not depends on your response ;-)
Thx
JP
Le 13.12.2021 à 17:17, Bryan K. Walton a écrit :
On Mon, Dec 13, 2021 at 03:02:22PM +0000, Matt Kynaston wrote:
>From what I can tell (I just use the library) it doesn't depend on log4j
itself. However, given that the library is typically included in other
applications and that may well use a vulnerable version, your best bet is
to check the actual jars / wars with a tool like at
https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-determine-if-you-are-impacted-by-log4shell
If you've got the source code of the application, you should also be able
to view all dependencies with `mvn dependency:tree` and see if impacted
versions of log4j show up there.
Best of luck.
Thanks, Matt!
-Bryan
---------------------------------------------------------------------
To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org
