Security leak in Mustang (Log4j)

15 views
Skip to first unread message

Michael Zimmer

unread,
Dec 13, 2021, 8:13:49 AM12/13/21
to ZUGFeRD
Hello!
Since yesterday there are a lot of warnings in the german press concerning a JAVA leak in the logging library LOG4j. I've found a class named Log4JLogger.class  in \org\apache\commons\logging\impl of the mustang JAR (https://www.mustangproject.org).
Does it mean that mustang is affected to this security leak?
Is there any update or workaround to disable this class?

Thanks in advance
Michael

Jochen Stärk

unread,
Dec 13, 2021, 12:17:06 PM12/13/21
to Michael Zimmer, ZUGFeRD
Hi,
I had checked with the https://github.com/mergebase/log4j-detector in the morning and the result was negative for mustangproject, the open source mustang api 0.0.2 and the mustang server.
Plus I would have expected a standard dependabot pull request like last time https://github.com/ZUGFeRD/mustangproject/pull/245 if we were using a vulnerable version.
We don't use Log4j directly but SLF4j, maybe that helps.

kind regards
Jochen

--
You received this message because you are subscribed to the Google Groups "ZUGFeRD" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zugferd+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zugferd/4a0fb980-74d8-4325-85d0-38c4e25274e7n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages