Connect2id server 11.6.5 security update
Yesterday's security update of the Connect2id server to address the critical CVE-2021-44228 vulnerability gets backported to the latest 11.x.
Use this update if you are still using a 11.x version.
The security announcement yesterday also has information how to close the vulnerability in Log4j by setting a Java system property.
Note, the open source Nimbus JOSE+JWT library and the OAuth 2.0 / OpenID Connect SDK are not impacted by CVE-2021-44228 as they don't perform internal logging (subject to policy).
Download
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 11.6.5: Connect2id-server.zip
SHA-256: de801b7ca3d6ed8a0b0e0b15dcbe4bbf36a4c54449fbc62920b389b5746dd77a
Connect2id server 11.6.5 WAR package: c2id.war
SHA-256: 79d26111d1690d533f3bd2d336e71db5bc2760ae977f69522b43009905539dfa
Multi-tenant edition
Apache Tomcat package with Connect2id server 11.6.5: Connect2id-server-mt.zip
SHA-256: 47a9c644a3c375107a73b444942a8add038ce721b26f978da3000f6254b2f91e
Connect2id server 11.6.5 WAR package: c2id-multi-tenant.war
SHA-256: eb642f6d8f6d44a68750ff12ab2c4178539de09506eab3ecca146a99f5a2cdd4
Questions?
Contact Connect2id support.
Release notes
11.6.5 (2021-12-11)
Resolved issues
- Updates Log4j to 12.5.0 to address a critical vulnerability described in CVE 2021-44228, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-44228 (issue server/707).