Connect2id server 11.6.5 security update

Yesterday's security update of the Connect2id server to address the critical CVE-2021-44228 vulnerability gets backported to the latest 11.x.

Use this update if you are still using a 11.x version.

The security announcement yesterday also has information how to close the vulnerability in Log4j by setting a Java system property.

Note, the open source Nimbus JOSE+JWT library and the OAuth 2.0 / OpenID Connect SDK are not impacted by CVE-2021-44228 as they don't perform internal logging (subject to policy).


Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.6.5:

SHA-256: de801b7ca3d6ed8a0b0e0b15dcbe4bbf36a4c54449fbc62920b389b5746dd77a

Connect2id server 11.6.5 WAR package: c2id.war

SHA-256: 79d26111d1690d533f3bd2d336e71db5bc2760ae977f69522b43009905539dfa

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.6.5:

SHA-256: 47a9c644a3c375107a73b444942a8add038ce721b26f978da3000f6254b2f91e

Connect2id server 11.6.5 WAR package: c2id-multi-tenant.war

SHA-256: eb642f6d8f6d44a68750ff12ab2c4178539de09506eab3ecca146a99f5a2cdd4


Contact Connect2id support.

Release notes

11.6.5 (2021-12-11)

Resolved issues

  • Updates Log4j to 12.5.0 to address a critical vulnerability described in CVE 2021-44228, see name=CVE-2021-44228 (issue server/707).