BSI Warning for Log4j Vulnerability

2021 December 11, German Federal Office for Information Security (BSI) has published an urgent warning regarding the “log4j 2” Java programming library [1]. See [2] for English information on this vulnerability.

DAASI International is not generally using this software library, with few exceptions. The following DAASI International products and solutions are therefore not affected:

• OpenLDAP
• Shibboleth IdP (incl ShibCAS and OIDC plugin), SP und EDS [3]
• didmos1 (LUI, ETL Flow, Provisioner, PwSync, Background Processes)
• midPoint [4]

Some of our products, however, do contain the vulnerable library “log4j 2”. We will approach those customers a.s.a.p. with concrete steps how to remedy their system.

[1]: https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2021/211211_log4Shell_WarnstufeRot.html (in German)[2]: https://www.lunasec.io/docs/blog/log4j-zero-day/ and http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
[3]: https://shibboleth.net/pipermail/announce/2021-December/000253.html
[4]: https://evolveum.com/midpoint-not-vulnerable-to-log4shell