is Mirth affected by log4j vulnerablity

Mirth Connect still uses log4j 1.2.16, and doesn’t include log4j 2.x.

In fact, that JndiLookup class isn’t even present at all in the log4j 1.x JAR. That looks to have been added in 2.x : https://logging.apache.org/log4j/2.x/manual/lookups.html#JndiLookup

So as far as I can tell, MC is not affected by this CVE, unless you are explicitly including log4j 2.x as a custom library. 

Leave a Reply

Your email address will not be published. Required fields are marked *