Log4Shell

Anyone know if Mendelson AS2 is vulnerable to the Log4Shell exploit going on right now?

Forum
AS2

Comments

Got this reply from support, regarding OFTP2 CE and Log4j:

"There are different sources that say something about Log4j, for example
https://logging.apache.org/log4j/2.x/security.html

We currently only offer security updates to our paying customers - due to the high number of support requests we are unfortunately unable to take care of companies that use the community version. When we will be able to act accordingly is currently not foreseeable. However, we assume that the Log4j problem is not over yet. A large number of security researchers are currently looking at the lib and will certainly identify some problems as well.

If the mendelson software is important to you and you want a security update, you actually have to purchase a commercial version - you can do that in the mendelson shop."

So it seems, they didn't care about the impact, because we don't pay them...