CVE-2021-44228 - is a typical Shibboleth IdP 4.1.4 on Jetty 9.44 affected?

Vincent Feyaerts vincent.feyaerts at
Fri Dec 10 17:32:02 UTC 2021



I know this is more related to Jetty perhaps, and Shibboleth devs have no
control over how an admin would set up his Shibboleth IdP. However, this
question is related to a typical Shibboleth IdP 4.1.4, running on Linux,
set-up according to all the recommendations made by Shibboleth. We are
running Jetty 9.44.


I did a search on my Shib IdP filesystem and from what I can see, there are
some references to log4j. But if I'm correct, and looking at the startup
parameters of the JVM, my system uses logback for logging after slf4j. This
is probably the default?


Just looking for a confirmation that a typical Shibboleth IdP 4.1.4 on Jetty
9 is not vulnerable.


Thank you

Vincent Feyaerts

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6855 bytes
Desc: not available
URL: <>

More information about the users mailing list