Security leak in Mustang (Log4j)

[Michael Zimmer]

Hello!

Since yesterday there are a lot of warnings in the german press concerning a JAVA leak in the logging library LOG4j. I've found a class named Log4JLogger.class  in \org\apache\commons\logging\impl of the mustang JAR (https://www.mustangproject.org).

Does it mean that mustang is affected to this security leak?

Is there any update or workaround to disable this class?

Thanks in advance

Michael

[Jochen Stärk]

Hi,

I had checked with the https://github.com/mergebase/log4j-detector in the morning and the result was negative for mustangproject, the open source mustang api 0.0.2 and the mustang server.

Plus I would have expected a standard dependabot pull request like last time https://github.com/ZUGFeRD/mustangproject/pull/245 if we were using a vulnerable version.

We don't use Log4j directly but SLF4j, maybe that helps.

kind regards

Jochen

--
You received this message because you are subscribed to the Google Groups "ZUGFeRD" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zugferd+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zugferd/4a0fb980-74d8-4325-85d0-38c4e25274e7n%40googlegroups.com.