CVE-2021-44228 - is a typical Shibboleth IdP 4.1.4 on Jetty 9.44 affected?

Kevin Foote kevin.foote at
Fri Dec 10 17:54:21 UTC 2021

Covered here. 


- kpfoote

> On Dec 10, 2021, at 10:32 AM, Vincent Feyaerts <vincent.feyaerts at> wrote:
> Hi,
> I know this is more related to Jetty perhaps, and Shibboleth devs have no control over how an admin would set up his Shibboleth IdP. However, this question is related to a typical Shibboleth IdP 4.1.4, running on Linux, set-up according to all the recommendations made by Shibboleth. We are running Jetty 9.44.
> I did a search on my Shib IdP filesystem and from what I can see, there are some references to log4j. But if I’m correct, and looking at the startup parameters of the JVM, my system uses logback for logging after slf4j. This is probably the default?
> Just looking for a confirmation that a typical Shibboleth IdP 4.1.4 on Jetty 9 is not vulnerable.
> Thank you
> Vincent Feyaerts
> -- 
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list