Log4j CVE (non)-impact

Fri Dec 10 15:49:14 UTC 2021

We’re getting a lot of noise about this, just trying to save more emails here.

Shibboleth does not use log4j. We ship a bridge for it to slf4j but that's not vulnerable, the bug is in log4j itself. We allow (in theory) the IdP to be manipulated to log to log4j through the slf4j API but we don't ship that or provide any code or examples for doing that.

The Jetty on Windows package is equipped with logback for logging, not log4j.

Otherwise, we have nothing to do with the servlet container configuration and logging choices you yourselves may or may not have made, or any other packaging of our software that may include log4j from other sources, that's outside our scope as a project.

-- Scott