Mathew, Sunil smathew at hbs.edu
Wed Jun 7 16:22:32 UTC 2023

Hi All,

We are using shib-idp:4.2.1_20220624 docker image in AWS.

Qualys is complaining about the existence of this file:


relates to this CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-45105 - description from Qualys:

Apache Log4j2 does not always protect from infinite recursion in lookup evaluation (CVE-2021-45105), this was made public on December 18, 2021

Affected versions:
Log4j versions all versions from 2.0-beta9 to 2.16.0, excluding 2.12.3, 2.3.1

QID Detection: (Authenticated) - Windows
On the Windows system, the QID identifies a vulnerable instance of log4j via WMI to check log4j included in the running processes via the command-line.

QID Detection: (Authenticated) - Linux
This detection is based on querying the OS package managers on the target. If the target has a log4j package with a version less than or equal to 2.16.0, the target is flagged! as vulnerable.

How can I remediate this vulnerability?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230607/4784adb1/attachment.htm>

More information about the users mailing list