CVE-2021-44228 - is a typical Shibboleth IdP 4.1.4 on Jetty 9.44 affected?
Kevin Foote
kevin.foote at colorado.edu
Fri Dec 10 17:54:21 UTC 2021
Covered here.
<https://marc.info/?l=shibboleth-announce&m=163915134027951&w=2>
---------
thanks
- kpfoote
-
> On Dec 10, 2021, at 10:32 AM, Vincent Feyaerts <vincent.feyaerts at uantwerpen.be> wrote:
>
> Hi,
>
> I know this is more related to Jetty perhaps, and Shibboleth devs have no control over how an admin would set up his Shibboleth IdP. However, this question is related to a typical Shibboleth IdP 4.1.4, running on Linux, set-up according to all the recommendations made by Shibboleth. We are running Jetty 9.44.
>
> I did a search on my Shib IdP filesystem and from what I can see, there are some references to log4j. But if I’m correct, and looking at the startup parameters of the JVM, my system uses logback for logging after slf4j. This is probably the default?
>
> Just looking for a confirmation that a typical Shibboleth IdP 4.1.4 on Jetty 9 is not vulnerable.
>
> Thank you
> Vincent Feyaerts
> --
> For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list