as you have probably heard already a vulnerability was found in Log4j2, a popular logging library. PDFsam Basic uses Logback as its logging library and is therefore not affected by the vulnerability. Meanwhile, a lower severity issue was discovered in Log4j 1.x and Logback and was fixed in Logback v1.2.8.
We have updated and released PDFsam Basic v4.2.9 to use the fixed version of Logback. You can download it as usual from the Downloads section. We will remain vigilant and address any issues that may arise in the coming days.
Update 20th Dec 20201
We released a new version 4.2.10 where we included the latest Logback 1.2.9 that fixes LOGBACK-1591, as usual in the downloads section.
5 Replies to “PDFsam and Log4j2 vulnerability”
Thank you for informing and taking corrective action.
Thank you. This whole Log4J thing has been such a mess. I am glad you were able to quickly assess situation and address that other concern.
Downloaded and installed v4.2.10 of PDF SAM Basic on Windows 11 Pro where v4.2.8 was already installed. The Installer hang at 98% the vulnerable *.jar versions 1.2.6 were not removed. So I terminated the installer, uninstalled Basic 4.2.10 listed under Programs & Features in Control Panel, then manually deleted orphaned remaining *.jar files in Program Files (x(&)\PDF SAM Basic. Reinstall v4.2.10 worked fine after.
Suggest the installer requests a check if former vulnerable version is installed and removes it before install of later versions.