Hi, The binary/zip release doesn’t include log4j, for maven you should check mvn dependency:tree
Thanks -----Original Message----- From: Jean-Pierre Lamon <g...@ngscan.com> Sent: 13 December 2021 16:40 To: fop-users@xmlgraphics.apache.org Subject: Re: Is FOP impacted by the Log4shell vulnerability? Hi all, I'm using FOP from my application but in command mode (just launching fop.bat or through powsershell). The swiss government IT asks me if my application could be vulnerable. What must be my response? My future in jail or not depends on your response ;-) Thx JP Le 13.12.2021 à 17:17, Bryan K. Walton a écrit : > On Mon, Dec 13, 2021 at 03:02:22PM +0000, Matt Kynaston wrote: >> >From what I can tell (I just use the library) it doesn't depend on >> >log4j >> itself. However, given that the library is typically included in >> other applications and that may well use a vulnerable version, your >> best bet is to check the actual jars / wars with a tool like at >> https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-d >> etermine-if-you-are-impacted-by-log4shell >> >> If you've got the source code of the application, you should also be >> able to view all dependencies with `mvn dependency:tree` and see if >> impacted versions of log4j show up there. >> >> Best of luck. > > Thanks, Matt! > > -Bryan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org > For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org