RE: Is FOP impacted by the Log4shell vulnerability?
Hi, We don’t include log4j. Thanks -Original Message- From: Bryan K. Walton Sent: 13 December 2021 14:41 To: fop-users@xmlgraphics.apache.org Subject: Is FOP impacted by the Log4shell vulnerability? Hi, is Apache FOP susceptible to the Log4shell vulnerability that is making the rounds right now? Thanks! Bryan Walton - To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org - To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org
Is FOP impacted by the Log4shell vulnerability?
Hi, is Apache FOP susceptible to the Log4shell vulnerability that is making the rounds right now? Thanks! Bryan Walton - To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org
Re: Is FOP impacted by the Log4shell vulnerability?
If you're worried about an application, from what I've seen you can use "-Dlog4j2.formatMsgNoLookups=true" if you're using log4j 2.10 or later if you need to run an application that can't change it's logging library. https://research.nccgroup.com/2021/12/12/log4j-jndi-be-gone-a-simple-mitigation-for-cve-2021-44228/ On Mon, 2021-12-13 at 18:18 +, simonsteiner1...@gmail.com wrote: > Hi, > The binary/zip release doesn’t include log4j, for maven you should > check mvn dependency:tree > Thanks > -Original Message-From: Jean-Pierre Lamon > Sent: 13 December 2021 16:40To: fop-users@xmlgraphics.apache.org > Subject: Re: Is FOP impacted by the Log4shell vulnerability? > Hi all, > I'm using FOP from my application but in command mode (just launching > fop.bat or through powsershell). The swiss government IT asks me if > my application could be vulnerable. What must be my response? > My future in jail or not depends on your response ;-) > ThxJP > Le 13.12.2021 à 17:17, Bryan K. Walton a écrit : > > On Mon, Dec 13, 2021 at 03:02:22PM +, Matt Kynaston wrote: > > > > From what I can tell (I just use the library) it doesn't depend > > > > on log4j > > > itself. However, given that the library is typically included in > > > other applications and that may well use a vulnerable version, > > > your best bet is to check the actual jars / wars with a tool like > > > at > > > https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-d > > > etermine-if-you-are-impacted-by-log4shell > > > If you've got the source code of the application, you should also > > > be able to view all dependencies with `mvn dependency:tree` and > > > see if impacted versions of log4j show up there. > > > Best of luck. > > > > Thanks, Matt! > > -Bryan > > - > > To unsubscribe, e-mail: > > fop-users-unsubscr...@xmlgraphics.apache.org > > For additional commands, e-mail: > > fop-users-h...@xmlgraphics.apache.org > > > > --- > --To unsubscribe, e-mail: > fop-users-unsubscr...@xmlgraphics.apache.org > For additional commands, e-mail: > fop-users-h...@xmlgraphics.apache.org > > > > --- > --To unsubscribe, e-mail: > fop-users-unsubscr...@xmlgraphics.apache.org > For additional commands, e-mail: > fop-users-h...@xmlgraphics.apache.org >
RE: Is FOP impacted by the Log4shell vulnerability?
Hi, The binary/zip release doesn’t include log4j, for maven you should check mvn dependency:tree Thanks -Original Message- From: Jean-Pierre Lamon Sent: 13 December 2021 16:40 To: fop-users@xmlgraphics.apache.org Subject: Re: Is FOP impacted by the Log4shell vulnerability? Hi all, I'm using FOP from my application but in command mode (just launching fop.bat or through powsershell). The swiss government IT asks me if my application could be vulnerable. What must be my response? My future in jail or not depends on your response ;-) Thx JP Le 13.12.2021 à 17:17, Bryan K. Walton a écrit : > On Mon, Dec 13, 2021 at 03:02:22PM +, Matt Kynaston wrote: >> >From what I can tell (I just use the library) it doesn't depend on >> >log4j >> itself. However, given that the library is typically included in >> other applications and that may well use a vulnerable version, your >> best bet is to check the actual jars / wars with a tool like at >> https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-d >> etermine-if-you-are-impacted-by-log4shell >> >> If you've got the source code of the application, you should also be >> able to view all dependencies with `mvn dependency:tree` and see if >> impacted versions of log4j show up there. >> >> Best of luck. > > Thanks, Matt! > > -Bryan > > - > To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org > For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org > - To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org - To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org
Re: Is FOP impacted by the Log4shell vulnerability?
Hi all, I'm using FOP from my application but in command mode (just launching fop.bat or through powsershell). The swiss government IT asks me if my application could be vulnerable. What must be my response? My future in jail or not depends on your response ;-) Thx JP Le 13.12.2021 à 17:17, Bryan K. Walton a écrit : On Mon, Dec 13, 2021 at 03:02:22PM +, Matt Kynaston wrote: >From what I can tell (I just use the library) it doesn't depend on log4j itself. However, given that the library is typically included in other applications and that may well use a vulnerable version, your best bet is to check the actual jars / wars with a tool like at https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-determine-if-you-are-impacted-by-log4shell If you've got the source code of the application, you should also be able to view all dependencies with `mvn dependency:tree` and see if impacted versions of log4j show up there. Best of luck. Thanks, Matt! -Bryan - To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org - To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org
Re: Is FOP impacted by the Log4shell vulnerability?
On Mon, Dec 13, 2021 at 03:02:22PM +, Matt Kynaston wrote: > >From what I can tell (I just use the library) it doesn't depend on log4j > itself. However, given that the library is typically included in other > applications and that may well use a vulnerable version, your best bet is > to check the actual jars / wars with a tool like at > https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-determine-if-you-are-impacted-by-log4shell > > If you've got the source code of the application, you should also be able > to view all dependencies with `mvn dependency:tree` and see if impacted > versions of log4j show up there. > > Best of luck. Thanks, Matt! -Bryan - To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org
Re: Is FOP impacted by the Log4shell vulnerability?
>From what I can tell (I just use the library) it doesn't depend on log4j itself. However, given that the library is typically included in other applications and that may well use a vulnerable version, your best bet is to check the actual jars / wars with a tool like at https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/#3-determine-if-you-are-impacted-by-log4shell If you've got the source code of the application, you should also be able to view all dependencies with `mvn dependency:tree` and see if impacted versions of log4j show up there. Best of luck. On Mon, 13 Dec 2021 at 14:46, Bryan K. Walton wrote: > Hi, is Apache FOP susceptible to the Log4shell vulnerability that is > making the rounds right now? > > Thanks! > Bryan Walton > > - > To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org > For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org > > -- Matt Kynaston Lead Developer Tel: +441225851666 www.claritum.com Claritum Limited. Registered Office: 37 Great Pulteney Street, Bath, BA2 4DA Registered in England and Wales 3878694
Is FOP impacted by the Log4shell vulnerability?
Hi, is Apache FOP susceptible to the Log4shell vulnerability that is making the rounds right now? Thanks! Bryan Walton - To unsubscribe, e-mail: fop-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: fop-users-h...@xmlgraphics.apache.org