Hi team,

We are using following jar provided by you.

1. jdom.jar 0.9
2. jdom-b9 1.0
3. jdom 1.0

We want to ensure and know if it is impacted by “Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)”. If it’s impacted please let us know about the security recommendation. To know we are looking for following answer

1. Are you using log4J?
2. If you are using log4j 1.x version, are you using JMSAppender class
3. if you are using log4j 2.x are , what is your security recommendation to fix the issue.

Thanks,
Vikram Somawar

Your team needs to figure out Maven dependencies, and how to manage library versions, which can answer and solve this question. It is not practical to raise issues with every software library author,.nor will it necessarily fix the issues in your particular system.

As @eschulma says, you have the ultimate responsibility for your dependency tree.

That said, the end user JDOM libraries do not have a dependency on log4j.

There is a version of log4j in the JDOM source that's used during the JDOM build process by the cobertura code coverage tool. In that case it runs on my machine, not yours. :) It's the old log4j 1.x which does not include the CVE-2021-44228 vulnerability.