Log4j CVE (non)-impact

John C. Pfeifer pfeifer at umd.edu
Fri Dec 10 20:00:26 UTC 2021

Pail, any chance of a new 4.0.1 image? We are not quite ready to just to 4.1.x.

John Pfeifer
Division of Information Technology
University of Maryland, College Park

> On Dec 10, 2021, at 2:50 PM, Paul Caskey <pcaskey at internet2.edu> wrote:
> Just a note that the InCommon Trusted Access Platform uses tomcat and log4j in the IdP container and was vulnerable to this.
> A patched version of the TAP IdP container image is available at the Docker hub: "i2incommon/shib-idp:4.1.4_20211210" or "i2incommon/shib-idp:latest"
> Thanks,
> -Paul
>> -----Original Message-----
>> From: announce <announce-bounces at shibboleth.net> On Behalf Of Cantor,
>> Scott
>> Sent: Friday, December 10, 2021 9:49 AM
>> To: announce at shibboleth.net
>> Subject: Log4j CVE (non)-impact
>> We’re getting a lot of noise about this, just trying to save more emails here.
>> Shibboleth does not use log4j. We ship a bridge for it to slf4j but that's not
>> vulnerable, the bug is in log4j itself. We allow (in theory) the IdP to be
>> manipulated to log to log4j through the slf4j API but we don't ship that or
>> provide any code or examples for doing that.
>> The Jetty on Windows package is equipped with logback for logging, not
>> log4j.
>> Otherwise, we have nothing to do with the servlet container configuration
>> and logging choices you yourselves may or may not have made, or any other
>> packaging of our software that may include log4j from other sources, that's
>> outside our scope as a project.
>> -- Scott
>> --
>> To unsubscribe from this list send an email to announce-
>> unsubscribe at shibboleth.net
> -- 
> For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list