A critical severity vulnerability (CVE-2021-44228 AKA Log4Shell) has been discovered in the popular Log4J v2 logging library. Due to the popularity of this logging library in many Java applications and the fact this vulnerability is being actively exploited we are letting customers know how this affects Overt Software and our supported services.
We can confirm that the Shibboleth IdP does not use Log4j and is therefore not affected by this vulnerability. Please see the official announcement of this by one of the Shibboleth developers at https://marc.info/?l=shibboleth-announcement.
The Overt IdP dashboard is not affected by this either. Some Overt IdP dashboard instances utilise ElasticSearch, though these are only accessible from the server itself and ElasticSearch's default configuration mitigates most of these issues anyway. Whilst not affected directly, as per our normal patching policy we will update these ElasticSearch instances to the latest version once available anyway.
The Shibboleth Service Provider does not use any Java components, so is not affected.
Multi-factor Authentication (MFA) and Self Service Password Reset (SSPR) service
Our MFA and SSPR services do not use any vulnerable libraries, so are not affected.
Moodle is not affected as it does not use Java, however, a very small number of deployments utilise Apache Solr for global search which is affected.
If you have not specifically requested for this to be installed, you do not have it. Of those systems that do have it installed, it is locked down so only the local IP (to allow Moodle itself to communicate with it) can access it. This largely negates the issue.
We have carried out an audit and implemented mitigations for those running Solr and will be in touch shortly if any action is required on your side.
Mahara does not use any Java components, so is not affected.
Big Blue Button
Big Blue button instances do not use this logging library, so are not affected.
Only instances with the IMAP Apache Solr plugin installed are affected. All of our supported instances either have this disabled (default) or have been updated to be secure from the vulnerability.
EZPZ SP (WordPress SAML plugin)
This solution is not written in Java, so is not affected.
If you have any questions about this vulnerability, please add a support ticket to the customer support portal or contact firstname.lastname@example.org.
For more information on the underlying vulnerability please see: