Log4Shell

Anyone know if Mendelson AS2 is vulnerable to the Log4Shell exploit going on right now?

Forum
AS2

Comments

In case of Windows version 1.1b57, there is a log4j-1.2.17.jar file in as2/jlib/mina folder.
Based on the file name of log4j it is still log4j 1, and based on my understanding, log4shell is impacting log4j 2.

However, that would be highly appreciated, if mendelson would inform the community abouz, whether or not their product is vulnerable regardless of the (community or commercial) editions.

Profile picture for user service

In reply to by trefy0711

We built update releases for the mendelson communication software that contains the fixed libs of log4j. Please contact us by mail for download links if you have a commercial version.
Even if we do not use log4j in our modules we are using 3rd party modules and libs (apache MINA, jetty etc ) that use log4j. As a single logging attempt to the framework is enough for an attack we would recommend an update.

Regards

In reply to by service

While all of your community customers accepted, that there is only community support is available for the community editions.
However, I believe, that everyone in the community would warmly welcome some feedback from you regarding this extreme vulnerability, and whether or not the community edition of your software is affected, and if so, you do or don't plan any emergency release to remediate the vulnerability.

In reply to by trefy0711

Hello,
Is there a way to integrate an updated version of log4j into the community version to address this major vulnerability? How do I contact the community to support this fix?
thank you

Got this reply from support, regarding OFTP2 CE and Log4j:

"There are different sources that say something about Log4j, for example
https://logging.apache.org/log4j/2.x/security.html

We currently only offer security updates to our paying customers - due to the high number of support requests we are unfortunately unable to take care of companies that use the community version. When we will be able to act accordingly is currently not foreseeable. However, we assume that the Log4j problem is not over yet. A large number of security researchers are currently looking at the lib and will certainly identify some problems as well.

If the mendelson software is important to you and you want a security update, you actually have to purchase a commercial version - you can do that in the mendelson shop."

So it seems, they didn't care about the impact, because we don't pay them...