OpenConext and log4j

[Thijs Kinkhorst]

Hi all,

No doubt most of us are already well aware of the log4j vulnerability (https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/).

OpenConext uses logback, not log4j in the major components. We use log4j in a dependency of the PDP but this is the unaffected 1.x branch.

We therefore see no immediate action for OpenConext to take. Of anyone has concerns, or relevant information to share, please do not hesitate either on-list or via private message.

Kind regards,

Thijs