If you're worried about an application, from what I've seen you can use
"-Dlog4j2.formatMsgNoLookups=true" if you're using log4j 2.10 or later
if you need to run an application that can't change it's logging
library.
https://research.nccgroup.com/2021/12/12/log4j-jndi-be-gone-a-simple-mitigation-for-cve-2021-44228/

On Mon, 2021-12-13 at 18:18 +0000, simonsteiner1...@gmail.com wrote:
> Hi,
> The binary/zip release doesn’t include log4j, for maven you should
> check mvn dependency:tree
> Thanks
> -----Original Message-----From: Jean-Pierre Lamon <g...@ngscan.com>
> Sent: 13 December 2021 16:40To: fop-users@xmlgraphics.apache.org
> Subject: Re: Is FOP impacted by the Log4shell vulnerability?
> Hi all,
> I'm using FOP from my application but in command mode (just launching
> fop.bat or through powsershell). The swiss government IT asks me if
> my application could be vulnerable. What must be my response?
> My future in jail or not depends on your response ;-)
> ThxJP
> Le 13.12.2021 à 17:17, Bryan K. Walton a écrit :
> > On Mon, Dec 13, 2021 at 03:02:22PM +0000, Matt Kynaston wrote:
> > > > From what I can tell (I just use the library) it doesn't depend
> > > > on log4j
> > > itself. However, given that the library is typically included in
> > > other applications and that may well use a vulnerable version,
> > > your best bet is to check the actual jars / wars with a tool like
> > > at 
> > > https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-d
> > > etermine-if-you-are-impacted-by-log4shell
> > > If you've got the source code of the application, you should also
> > > be able to view all dependencies with `mvn dependency:tree` and
> > > see if impacted versions of log4j show up there.
> > > Best of luck.
> > 
> > Thanks, Matt!
> > -Bryan
> > -----------------------------------------------------------------
> > ----To unsubscribe, e-mail: 
> > fop-users-unsubscr...@xmlgraphics.apache.org
> > For additional commands, e-mail: 
> > fop-users-h...@xmlgraphics.apache.org
> > 
> 
> -------------------------------------------------------------------
> --To unsubscribe, e-mail: 
> fop-users-unsubscr...@xmlgraphics.apache.org
> For additional commands, e-mail: 
> fop-users-h...@xmlgraphics.apache.org
> 
> 
> 
> -------------------------------------------------------------------
> --To unsubscribe, e-mail: 
> fop-users-unsubscr...@xmlgraphics.apache.org
> For additional commands, e-mail: 
> fop-users-h...@xmlgraphics.apache.org
> 

Reply via email to