Log4j CVE (non)-impact
pavel.sipos at arnes.si
Sun Dec 12 13:03:48 UTC 2021
Is the Shibboleth SP (3.2.3 or older) safe from log4j exploit too?
I am asking, as we use default logging settings that came in RPM package
for Centos7 or Centos8 and the logger configs have the log4j definitions.
Example native.logger config:
On 10/12/2021 20:50, Paul Caskey wrote:
> Just a note that the InCommon Trusted Access Platform uses tomcat and log4j in the IdP container and was vulnerable to this.
> A patched version of the TAP IdP container image is available at the Docker hub: "i2incommon/shib-idp:4.1.4_20211210" or "i2incommon/shib-idp:latest"
>> -----Original Message-----
>> From: announce <announce-bounces at shibboleth.net> On Behalf Of Cantor,
>> Sent: Friday, December 10, 2021 9:49 AM
>> To: announce at shibboleth.net
>> Subject: Log4j CVE (non)-impact
>> We’re getting a lot of noise about this, just trying to save more emails here.
>> Shibboleth does not use log4j. We ship a bridge for it to slf4j but that's not
>> vulnerable, the bug is in log4j itself. We allow (in theory) the IdP to be
>> manipulated to log to log4j through the slf4j API but we don't ship that or
>> provide any code or examples for doing that.
>> The Jetty on Windows package is equipped with logback for logging, not
>> Otherwise, we have nothing to do with the servlet container configuration
>> and logging choices you yourselves may or may not have made, or any other
>> packaging of our software that may include log4j from other sources, that's
>> outside our scope as a project.
>> -- Scott
>> To unsubscribe from this list send an email to announce-
>> unsubscribe at shibboleth.net
Pavel Sipos, Arnes <pavel.sipos at arnes.si>
ARNES, p.p. 7, SI-1001 Ljubljana, Slovenia
T: +386 1 479 88 00
W: www.arnes.si, aai.arnes.si
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5772 bytes
Desc: S/MIME Cryptographic Signature
More information about the users