By: Cris Osborne user 20 Dec 2021 at 9:58 a.m. CST

5 Responses
Cris Osborne gravatar
Hi, As per remediation advice for the new vulnerabilities CVE-2021-44228 and CVE-2021-45046. We have checked and our version has Log4j 2.11.2 installed within Gluu. We have been informed by our Gluu contact (Davin) that you will be able to provide a remediation script (im not sure if this removes the vulnerability (aka removes the JndiLookup class from the classpath: zip -q -d log4j-core-.jar org/apache/logging/log4j/core/lookup/JndiLookup.class) or patches log4j to a safe version? Currently the service/site that uses Gluu is offline, so this is highly urgent for us. Any help/support would be much appriciated. Kind regards, Cris

By Mohib Zico staff 20 Dec 2021 at 10:02 a.m. CST

Mohib Zico gravatar
Hi Cris, Here is our response on that issue: https://gluu.org/log4j-response/ Thanks!

By Cris Osborne user 20 Dec 2021 at 10:22 a.m. CST

Cris Osborne gravatar
Hi Mohib, Do you have a link to that? I'm struggling to find it on your site? Also would you (Gluu support) be able to provide any support to the upgrade process? Kind regards, Cris

By Mohib Zico staff 20 Dec 2021 at 11:46 a.m. CST

Mohib Zico gravatar
Community will be notified when script published for community use. Right now, we are patching / helping our supported customer to patch.

By Mohib Zico staff 22 Dec 2021 at 12:28 p.m. CST

Mohib Zico gravatar
Hi Cris, I had a discussion with Davin. For our customer, there are few options out there which won't require upgrade at this moment to at least handle this vulnerabilities. Do you have any customization in your oxauth, identity, idp?

By Cris Osborne user 22 Dec 2021 at 12:47 p.m. CST

Cris Osborne gravatar
Hi Mohib, Not as far as im aware, thats great thanks, if you could let us know those options that would be great. Also can you CC jack.jones@crowncommercial.gov.uk into this ticket please? Kind regards, Cris