RE: Is FOP impacted by the Log4shell vulnerability?

2021-12-14 Thread Simon Steiner
Hi,

We don’t include log4j.

Thanks

-Original Message-
From: Bryan K. Walton  
Sent: 13 December 2021 14:41
To: fop-users@xmlgraphics.apache.org
Subject: Is FOP impacted by the Log4shell vulnerability?

Hi, is Apache FOP susceptible to the Log4shell vulnerability that is making the 
rounds right now?

Thanks!
Bryan Walton

-
To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org



-
To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org



Is FOP impacted by the Log4shell vulnerability?

2021-12-14 Thread Bryan K. Walton
Hi, is Apache FOP susceptible to the Log4shell vulnerability that is
making the rounds right now?

Thanks!
Bryan Walton

-
To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org



Re: Is FOP impacted by the Log4shell vulnerability?

2021-12-13 Thread Jon Schewe
If you're worried about an application, from what I've seen you can use
"-Dlog4j2.formatMsgNoLookups=true" if you're using log4j 2.10 or later
if you need to run an application that can't change it's logging
library.
https://research.nccgroup.com/2021/12/12/log4j-jndi-be-gone-a-simple-mitigation-for-cve-2021-44228/

On Mon, 2021-12-13 at 18:18 +, simonsteiner1...@gmail.com wrote:
> Hi,
> The binary/zip release doesn’t include log4j, for maven you should
> check mvn dependency:tree
> Thanks
> -Original Message-From: Jean-Pierre Lamon 
> Sent: 13 December 2021 16:40To: fop-users@xmlgraphics.apache.org
> Subject: Re: Is FOP impacted by the Log4shell vulnerability?
> Hi all,
> I'm using FOP from my application but in command mode (just launching
> fop.bat or through powsershell). The swiss government IT asks me if
> my application could be vulnerable. What must be my response?
> My future in jail or not depends on your response ;-)
> ThxJP
> Le 13.12.2021 à 17:17, Bryan K. Walton a écrit :
> > On Mon, Dec 13, 2021 at 03:02:22PM +, Matt Kynaston wrote:
> > > > From what I can tell (I just use the library) it doesn't depend
> > > > on log4j
> > > itself. However, given that the library is typically included in
> > > other applications and that may well use a vulnerable version,
> > > your best bet is to check the actual jars / wars with a tool like
> > > at 
> > > https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-d
> > > etermine-if-you-are-impacted-by-log4shell
> > > If you've got the source code of the application, you should also
> > > be able to view all dependencies with `mvn dependency:tree` and
> > > see if impacted versions of log4j show up there.
> > > Best of luck.
> > 
> > Thanks, Matt!
> > -Bryan
> > -
> > To unsubscribe, e-mail: 
> > fop-users-unsubscr...@xmlgraphics.apache.org
> > For additional commands, e-mail: 
> > fop-users-h...@xmlgraphics.apache.org
> > 
> 
> ---
> --To unsubscribe, e-mail: 
> fop-users-unsubscr...@xmlgraphics.apache.org
> For additional commands, e-mail: 
> fop-users-h...@xmlgraphics.apache.org
> 
> 
> 
> ---
> --To unsubscribe, e-mail: 
> fop-users-unsubscr...@xmlgraphics.apache.org
> For additional commands, e-mail: 
> fop-users-h...@xmlgraphics.apache.org
> 


RE: Is FOP impacted by the Log4shell vulnerability?

2021-12-13 Thread simonsteiner1984
Hi,

The binary/zip release doesn’t include log4j, for maven you should check mvn 
dependency:tree

Thanks

-Original Message-
From: Jean-Pierre Lamon  
Sent: 13 December 2021 16:40
To: fop-users@xmlgraphics.apache.org
Subject: Re: Is FOP impacted by the Log4shell vulnerability?

Hi all,

I'm using FOP from my application but in command mode (just launching fop.bat 
or through powsershell). The swiss government IT asks me if my application 
could be vulnerable. What must be my response?

My future in jail or not depends on your response ;-)

Thx
JP

Le 13.12.2021 à 17:17, Bryan K. Walton a écrit :
> On Mon, Dec 13, 2021 at 03:02:22PM +, Matt Kynaston wrote:
>> >From what I can tell (I just use the library) it doesn't depend on 
>> >log4j
>> itself. However, given that the library is typically included in 
>> other applications and that may well use a vulnerable version, your 
>> best bet is to check the actual jars / wars with a tool like at 
>> https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-d
>> etermine-if-you-are-impacted-by-log4shell
>>
>> If you've got the source code of the application, you should also be 
>> able to view all dependencies with `mvn dependency:tree` and see if 
>> impacted versions of log4j show up there.
>>
>> Best of luck.
>
> Thanks, Matt!
>
> -Bryan
>
> -
> To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
> For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org
>

-
To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org



-
To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org



Re: Is FOP impacted by the Log4shell vulnerability?

2021-12-13 Thread Jean-Pierre Lamon

Hi all,

I'm using FOP from my application but in command mode (just launching 
fop.bat or through powsershell). The swiss government IT asks me if my 
application could be vulnerable. What must be my response?


My future in jail or not depends on your response ;-)

Thx
JP

Le 13.12.2021 à 17:17, Bryan K. Walton a écrit :

On Mon, Dec 13, 2021 at 03:02:22PM +, Matt Kynaston wrote:

>From what I can tell (I just use the library) it doesn't depend on log4j
itself. However, given that the library is typically included in other
applications and that may well use a vulnerable version, your best bet is
to check the actual jars / wars with a tool like at
https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-determine-if-you-are-impacted-by-log4shell

If you've got the source code of the application, you should also be able
to view all dependencies with `mvn dependency:tree` and see if impacted
versions of log4j show up there.

Best of luck.


Thanks, Matt!

-Bryan

-
To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org



-
To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org



Re: Is FOP impacted by the Log4shell vulnerability?

2021-12-13 Thread Bryan K. Walton
On Mon, Dec 13, 2021 at 03:02:22PM +, Matt Kynaston wrote:
> >From what I can tell (I just use the library) it doesn't depend on log4j
> itself. However, given that the library is typically included in other
> applications and that may well use a vulnerable version, your best bet is
> to check the actual jars / wars with a tool like at
> https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-determine-if-you-are-impacted-by-log4shell
> 
> If you've got the source code of the application, you should also be able
> to view all dependencies with `mvn dependency:tree` and see if impacted
> versions of log4j show up there.
> 
> Best of luck.


Thanks, Matt!

-Bryan

-
To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org



Re: Is FOP impacted by the Log4shell vulnerability?

2021-12-13 Thread Matt Kynaston
>From what I can tell (I just use the library) it doesn't depend on log4j
itself. However, given that the library is typically included in other
applications and that may well use a vulnerable version, your best bet is
to check the actual jars / wars with a tool like at
https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-determine-if-you-are-impacted-by-log4shell

If you've got the source code of the application, you should also be able
to view all dependencies with `mvn dependency:tree` and see if impacted
versions of log4j show up there.

Best of luck.

On Mon, 13 Dec 2021 at 14:46, Bryan K. Walton
 wrote:

> Hi, is Apache FOP susceptible to the Log4shell vulnerability that is
> making the rounds right now?
>
> Thanks!
> Bryan Walton
>
> -
> To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
> For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org
>
>

-- 


Matt Kynaston
Lead Developer
Tel: +441225851666
www.claritum.com

Claritum Limited. Registered Office: 37 Great Pulteney Street, Bath, BA2
4DA  Registered in England and Wales 3878694


Is FOP impacted by the Log4shell vulnerability?

2021-12-13 Thread Bryan K. Walton
Hi, is Apache FOP susceptible to the Log4shell vulnerability that is
making the rounds right now?

Thanks!
Bryan Walton

-
To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org