Log4j CVE (non)-impact

Paul Caskey pcaskey at internet2.edu
Fri Dec 10 19:50:51 UTC 2021

Just a note that the InCommon Trusted Access Platform uses tomcat and log4j in the IdP container and was vulnerable to this.

A patched version of the TAP IdP container image is available at the Docker hub: "i2incommon/shib-idp:4.1.4_20211210" or "i2incommon/shib-idp:latest"


> -----Original Message-----
> From: announce <announce-bounces at shibboleth.net> On Behalf Of Cantor,
> Scott
> Sent: Friday, December 10, 2021 9:49 AM
> To: announce at shibboleth.net
> Subject: Log4j CVE (non)-impact
> We’re getting a lot of noise about this, just trying to save more emails here.
> Shibboleth does not use log4j. We ship a bridge for it to slf4j but that's not
> vulnerable, the bug is in log4j itself. We allow (in theory) the IdP to be
> manipulated to log to log4j through the slf4j API but we don't ship that or
> provide any code or examples for doing that.
> The Jetty on Windows package is equipped with logback for logging, not
> log4j.
> Otherwise, we have nothing to do with the servlet container configuration
> and logging choices you yourselves may or may not have made, or any other
> packaging of our software that may include log4j from other sources, that's
> outside our scope as a project.
> -- Scott
> --
> To unsubscribe from this list send an email to announce-
> unsubscribe at shibboleth.net

More information about the users mailing list