Alla Shibboleth announcement -listalta Scott Cantorin tiedote Shibbolethin log4j-haavoittuvuden osalta.
Asia on tiedotettu myös erikseen haka-teknisten sähköpostilistalle.

Log4j CVE (non)-impact

"We’re getting a lot of noise about this, just trying to save more emails

Shibboleth does not use log4j. We ship a bridge for it to slf4j but that's not
vulnerable, the bug is in log4j itself. We allow (in theory) the IdP to be
manipulated to log to log4j through the slf4j API but we don't ship that or
provide any code or examples for doing that.

The Jetty on Windows package is equipped with logback for logging, not log4j.

Otherwise, we have nothing to do with the servlet container configuration and
logging choices you yourselves may or may not have made, or any other
packaging of our software that may include log4j from other sources, that's
outside our scope as a project.

-- Scott

  • No labels