If you're worried about an application, from what I've seen you can use "-Dlog4j2.formatMsgNoLookups=true" if you're using log4j 2.10 or later if you need to run an application that can't change it's logging library. https://research.nccgroup.com/2021/12/12/log4j-jndi-be-gone-a-simple-mitigation-for-cve-2021-44228/
On Mon, 2021-12-13 at 18:18 +0000, simonsteiner1...@gmail.com wrote: > Hi, > The binary/zip release doesn’t include log4j, for maven you should > check mvn dependency:tree > Thanks > -----Original Message-----From: Jean-Pierre Lamon <g...@ngscan.com> > Sent: 13 December 2021 16:40To: fop-users@xmlgraphics.apache.org > Subject: Re: Is FOP impacted by the Log4shell vulnerability? > Hi all, > I'm using FOP from my application but in command mode (just launching > fop.bat or through powsershell). The swiss government IT asks me if > my application could be vulnerable. What must be my response? > My future in jail or not depends on your response ;-) > ThxJP > Le 13.12.2021 à 17:17, Bryan K. Walton a écrit : > > On Mon, Dec 13, 2021 at 03:02:22PM +0000, Matt Kynaston wrote: > > > > From what I can tell (I just use the library) it doesn't depend > > > > on log4j > > > itself. However, given that the library is typically included in > > > other applications and that may well use a vulnerable version, > > > your best bet is to check the actual jars / wars with a tool like > > > at > > > https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-d > > > etermine-if-you-are-impacted-by-log4shell > > > If you've got the source code of the application, you should also > > > be able to view all dependencies with `mvn dependency:tree` and > > > see if impacted versions of log4j show up there. > > > Best of luck. > > > > Thanks, Matt! > > -Bryan > > ----------------------------------------------------------------- > > ----To unsubscribe, e-mail: > > fop-users-unsubscr...@xmlgraphics.apache.org > > For additional commands, e-mail: > > fop-users-h...@xmlgraphics.apache.org > > > > ------------------------------------------------------------------- > --To unsubscribe, e-mail: > fop-users-unsubscr...@xmlgraphics.apache.org > For additional commands, e-mail: > fop-users-h...@xmlgraphics.apache.org > > > > ------------------------------------------------------------------- > --To unsubscribe, e-mail: > fop-users-unsubscr...@xmlgraphics.apache.org > For additional commands, e-mail: > fop-users-h...@xmlgraphics.apache.org >
