Anyone know if Mendelson AS2 is vulnerable to the Log4Shell exploit going on right now?



In case of Windows version 1.1b57, there is a log4j-1.2.17.jar file in as2/jlib/mina folder.
Based on the file name of log4j it is still log4j 1, and based on my understanding, log4shell is impacting log4j 2.

However, that would be highly appreciated, if mendelson would inform the community abouz, whether or not their product is vulnerable regardless of the (community or commercial) editions.

Profile picture for user service

In reply to by trefy0711

We built update releases for the mendelson communication software that contains the fixed libs of log4j. Please contact us by mail for download links if you have a commercial version.
Even if we do not use log4j in our modules we are using 3rd party modules and libs (apache MINA, jetty etc ) that use log4j. As a single logging attempt to the framework is enough for an attack we would recommend an update.


In reply to by service

While all of your community customers accepted, that there is only community support is available for the community editions.
However, I believe, that everyone in the community would warmly welcome some feedback from you regarding this extreme vulnerability, and whether or not the community edition of your software is affected, and if so, you do or don't plan any emergency release to remediate the vulnerability.

In reply to by trefy0711

Is there a way to integrate an updated version of log4j into the community version to address this major vulnerability? How do I contact the community to support this fix?
thank you

Specifically I mean do you expect to release an update to address this vulnerability for the OFTP2 community edition.