[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-announce
Subject:    Log4j CVE (non)-impact
From:       "Cantor, Scott" <cantor.2 () osu ! edu>
Date:       2021-12-10 15:49:14
Message-ID: 760EA721-AE64-4389-AC1C-6AC0774806A8 () osu ! edu
[Download RAW message or body]

We're getting a lot of noise about this, just trying to save more emails here.

Shibboleth does not use log4j. We ship a bridge for it to slf4j but that's not \
vulnerable, the bug is in log4j itself. We allow (in theory) the IdP to be \
manipulated to log to log4j through the slf4j API but we don't ship that or provide \
any code or examples for doing that.

The Jetty on Windows package is equipped with logback for logging, not log4j.

Otherwise, we have nothing to do with the servlet container configuration and logging \
choices you yourselves may or may not have made, or any other packaging of our \
software that may include log4j from other sources, that's outside our scope as a \
project.

-- Scott


--
To unsubscribe from this list send an email to announce-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic