Anyone know if Mendelson AS2 is vulnerable to the Log4Shell exploit going on right now?
Foren
AS2
- Anmelden oder Registieren, um Kommentare verfassen zu können
Anyone know if Mendelson AS2 is vulnerable to the Log4Shell exploit going on right now?
Comments
From what I've seen…
Gespeichert von gp am/um Mo, 12/13/2021 - 08:31
From what I've seen mendelson AS2 uses its own logger.
In case of Windows version 1…
Gespeichert von trefy0711 am/um Mo, 12/13/2021 - 09:32
In case of Windows version 1.1b57, there is a
log4j-1.2.17.jar
file inas2/jlib/mina
folder.Based on the file name of log4j it is still log4j 1, and based on my understanding, log4shell is impacting log4j 2.
However, that would be highly appreciated, if mendelson would inform the community abouz, whether or not their product is vulnerable regardless of the (community or commercial) editions.
We built update releases for…
Gespeichert von service am/um Mo, 12/13/2021 - 10:48
Antwort auf In case of Windows version 1… von trefy0711
We built update releases for the mendelson communication software that contains the fixed libs of log4j. Please contact us by mail for download links if you have a commercial version.
Even if we do not use log4j in our modules we are using 3rd party modules and libs (apache MINA, jetty etc ) that use log4j. As a single logging attempt to the framework is enough for an attack we would recommend an update.
Regards
Thank you for your response…
Gespeichert von trefy0711 am/um Mo, 12/13/2021 - 11:10
Antwort auf We built update releases for… von service
Thank you for your response.
Are you planning to release emergency update for the community edition as well to mitigate/remediate the vulnerability?
While all of your community…
Gespeichert von trefy0711 am/um Di, 12/14/2021 - 10:42
Antwort auf We built update releases for… von service
While all of your community customers accepted, that there is only community support is available for the community editions.
However, I believe, that everyone in the community would warmly welcome some feedback from you regarding this extreme vulnerability, and whether or not the community edition of your software is affected, and if so, you do or don't plan any emergency release to remediate the vulnerability.
Hello, Is there a way to…
Gespeichert von laurent.sottocasa am/um Di, 12/14/2021 - 14:48
Antwort auf While all of your community… von trefy0711
Hello,
Is there a way to integrate an updated version of log4j into the community version to address this major vulnerability? How do I contact the community to support this fix?
thank you
Dear mendelson team, Is…
Gespeichert von trefy0711 am/um Mi, 12/15/2021 - 14:39
Antwort auf We built update releases for… von service
Dear mendelson team,
Is there any way to have the community your feedback sooner, rather than later on that topic?
Thank you
Please refer to https:/…
Gespeichert von service am/um Mo, 12/20/2021 - 09:10
Please refer to https://mendelson-e-c.com/blog for information about releases and patches of the mendelson software.
Regards
Got this reply from support,…
Gespeichert von hkx2007 am/um Di, 12/21/2021 - 14:44
Got this reply from support, regarding OFTP2 CE and Log4j:
"There are different sources that say something about Log4j, for example
https://logging.apache.org/log4j/2.x/security.html
We currently only offer security updates to our paying customers - due to the high number of support requests we are unfortunately unable to take care of companies that use the community version. When we will be able to act accordingly is currently not foreseeable. However, we assume that the Log4j problem is not over yet. A large number of security researchers are currently looking at the lib and will certainly identify some problems as well.
If the mendelson software is important to you and you want a security update, you actually have to purchase a commercial version - you can do that in the mendelson shop."
So it seems, they didn't care about the impact, because we don't pay them...