In case of Windows version 1.1b57, there is a log4j-1.2.17.jar file in as2/jlib/mina folder.
Based on the file name of log4j it is still log4j 1, and based on my understanding, log4shell is impacting log4j 2.
However, that would be highly appreciated, if mendelson would inform the community abouz, whether or not their product is vulnerable regardless of the (community or commercial) editions.
We built update releases for the mendelson communication software that contains the fixed libs of log4j. Please contact us by mail for download links if you have a commercial version.
Even if we do not use log4j in our modules we are using 3rd party modules and libs (apache MINA, jetty etc ) that use log4j. As a single logging attempt to the framework is enough for an attack we would recommend an update.
While all of your community customers accepted, that there is only community support is available for the community editions.
However, I believe, that everyone in the community would warmly welcome some feedback from you regarding this extreme vulnerability, and whether or not the community edition of your software is affected, and if so, you do or don't plan any emergency release to remediate the vulnerability.
Hello,
Is there a way to integrate an updated version of log4j into the community version to address this major vulnerability? How do I contact the community to support this fix?
thank you
We currently only offer security updates to our paying customers - due to the high number of support requests we are unfortunately unable to take care of companies that use the community version. When we will be able to act accordingly is currently not foreseeable. However, we assume that the Log4j problem is not over yet. A large number of security researchers are currently looking at the lib and will certainly identify some problems as well.
If the mendelson software is important to you and you want a security update, you actually have to purchase a commercial version - you can do that in the mendelson shop."
So it seems, they didn't care about the impact, because we don't pay them...
Comments
From what I've seen…
Submitted by gp on Mon, 12/13/2021 - 08:31
From what I've seen mendelson AS2 uses its own logger.
In case of Windows version 1…
Submitted by trefy0711 on Mon, 12/13/2021 - 09:32
In case of Windows version 1.1b57, there is a
log4j-1.2.17.jar
file inas2/jlib/mina
folder.Based on the file name of log4j it is still log4j 1, and based on my understanding, log4shell is impacting log4j 2.
However, that would be highly appreciated, if mendelson would inform the community abouz, whether or not their product is vulnerable regardless of the (community or commercial) editions.
We built update releases for…
Submitted by service on Mon, 12/13/2021 - 10:48
In reply to In case of Windows version 1… by trefy0711
We built update releases for the mendelson communication software that contains the fixed libs of log4j. Please contact us by mail for download links if you have a commercial version.
Even if we do not use log4j in our modules we are using 3rd party modules and libs (apache MINA, jetty etc ) that use log4j. As a single logging attempt to the framework is enough for an attack we would recommend an update.
Regards
Thank you for your response…
Submitted by trefy0711 on Mon, 12/13/2021 - 11:10
In reply to We built update releases for… by service
Thank you for your response.
Are you planning to release emergency update for the community edition as well to mitigate/remediate the vulnerability?
While all of your community…
Submitted by trefy0711 on Tue, 12/14/2021 - 10:42
In reply to We built update releases for… by service
While all of your community customers accepted, that there is only community support is available for the community editions.
However, I believe, that everyone in the community would warmly welcome some feedback from you regarding this extreme vulnerability, and whether or not the community edition of your software is affected, and if so, you do or don't plan any emergency release to remediate the vulnerability.
Hello, Is there a way to…
Submitted by laurent.sottocasa on Tue, 12/14/2021 - 14:48
In reply to While all of your community… by trefy0711
Hello,
Is there a way to integrate an updated version of log4j into the community version to address this major vulnerability? How do I contact the community to support this fix?
thank you
Dear mendelson team, Is…
Submitted by trefy0711 on Wed, 12/15/2021 - 14:39
In reply to We built update releases for… by service
Dear mendelson team,
Is there any way to have the community your feedback sooner, rather than later on that topic?
Thank you
Please refer to https:/…
Submitted by service on Mon, 12/20/2021 - 09:10
Please refer to https://mendelson-e-c.com/blog for information about releases and patches of the mendelson software.
Regards
Got this reply from support,…
Submitted by hkx2007 on Tue, 12/21/2021 - 14:44
Got this reply from support, regarding OFTP2 CE and Log4j:
"There are different sources that say something about Log4j, for example
https://logging.apache.org/log4j/2.x/security.html
We currently only offer security updates to our paying customers - due to the high number of support requests we are unfortunately unable to take care of companies that use the community version. When we will be able to act accordingly is currently not foreseeable. However, we assume that the Log4j problem is not over yet. A large number of security researchers are currently looking at the lib and will certainly identify some problems as well.
If the mendelson software is important to you and you want a security update, you actually have to purchase a commercial version - you can do that in the mendelson shop."
So it seems, they didn't care about the impact, because we don't pay them...