Log4j CVE (non)-impact

Paul Caskey pcaskey at internet2.edu
Fri Dec 10 22:28:30 UTC 2021 

OK, I did a 4.0.1 container too:
i2incommon/shib-idp:4.0.1_20211210


> -----Original Message-----
> From: users <users-bounces at shibboleth.net> On Behalf Of John C. Pfeifer
> Sent: Friday, December 10, 2021 2:00 PM
> To: Shib Users <users at shibboleth.net>
> Cc: announce at shibboleth.net
> Subject: Re: Log4j CVE (non)-impact
> 
> Pail, any chance of a new 4.0.1 image? We are not quite ready to just to 4.1.x.
> 
> //
> John Pfeifer
> Division of Information Technology
> University of Maryland, College Park
> 
> > On Dec 10, 2021, at 2:50 PM, Paul Caskey <pcaskey at internet2.edu> wrote:
> >
> > Just a note that the InCommon Trusted Access Platform uses tomcat and
> log4j in the IdP container and was vulnerable to this.
> >
> > A patched version of the TAP IdP container image is available at the Docker
> hub: "i2incommon/shib-idp:4.1.4_20211210" or "i2incommon/shib-idp:latest"
> >
> >
> > Thanks,
> > -Paul
> >
> >
> >> -----Original Message-----
> >> From: announce <announce-bounces at shibboleth.net> On Behalf Of
> Cantor,
> >> Scott
> >> Sent: Friday, December 10, 2021 9:49 AM
> >> To: announce at shibboleth.net
> >> Subject: Log4j CVE (non)-impact
> >>
> >> We’re getting a lot of noise about this, just trying to save more emails
> here.
> >>
> >> Shibboleth does not use log4j. We ship a bridge for it to slf4j but
> >> that's not vulnerable, the bug is in log4j itself. We allow (in
> >> theory) the IdP to be manipulated to log to log4j through the slf4j
> >> API but we don't ship that or provide any code or examples for doing that.
> >>
> >> The Jetty on Windows package is equipped with logback for logging,
> >> not log4j.
> >>
> >> Otherwise, we have nothing to do with the servlet container
> >> configuration and logging choices you yourselves may or may not have
> >> made, or any other packaging of our software that may include log4j
> >> from other sources, that's outside our scope as a project.
> >>
> >> -- Scott
> >>
> >>
> >> --
> >> To unsubscribe from this list send an email to announce-
> >> unsubscribe at shibboleth.net
> > --
> > For Consortium Member technical support, see
> > https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> > To unsubscribe from this list send an email to
> > users-unsubscribe at shibboleth.net
> 
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to users-
> unsubscribe at shibboleth.net

More information about the users mailing list