Blog »

Connect2id server 12.5.1 security update addressing Log4j CVE-2021-44228 (Log4Shell)

2021-12-10

This release of the Connect2id server addresses the critical CVE-2021-44228 vulnerability announced today in the open source Log4j library which is used to handle logging, by updating Log4j to the fixed 2.15.0 version.

As explained today in the initial security notification email, all Connect2id server v12.x through v7.x deployments can prevent the vulnerability by simply setting the following Java system property:

log4j2.formatMsgNoLookups=true

The setting of Java system properties is deployment specific. The various methods to do that, depending on whether you are using a container environment or some other deployment type, are explained in this guide.

Upgrading to 12.5.1 release is still recommended.

Next week we hope to have the results of an assessment whether the Connect2id server could have potentially been vulnerable due to this bug, which existed in Log4j for several years.

Note, the open source Nimbus JOSE+JWT library and the OAuth 2.0 / OpenID Connect SDK are not impacted by CVE-2021-44228 as they don't perform internal logging (subject to policy).

This release also include several other small updates which were initially planned for 12.6 later this month.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.5.1: Connect2id-server.zip

SHA-256: 60b4c8a439bf2cf95962c16bc74db2d0d1effa6f7877b68fc37a2453fd26d937

Connect2id server 12.5.1 WAR package: c2id.war

SHA-256: 009f6b0c4aadcb795812938f9a7c419b51587dda4df1610472766be26d8b65d2

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.5.1: Connect2id-server-mt.zip

SHA-256: 11ebce9d315ac978da30521d4ac537bcf9baf173a06d4e88f0b1fdbbda01d398

Connect2id server 12.5.1 WAR package: c2id-multi-tenant.war

SHA-256: 39f0327a8c769dc4d157ca7d2b4cdab4d8b968bd53557e2a365188b01428427a

Questions?

Contact Connect2id support.

Release notes

12.5.1 (2021-12-10)

Resolved issues

  • Updates Log4j to 12.5.0 to address a critical vulnerability described in CVE 2021-44228, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-44228 (issue server/707).

  • Logs a WARN instead of INFO for OP5114 when the op.reg.allowLocalhostRedirectionURIsForTest configuration property is enabled (issue server/702).

  • Increases the default HTTP claims source op.httpClaimsSource.connectTimeout and op.httpClaimsSource.readTimeout values from 250ms to 1000ms to prevent timeouts on slow HTTP connections or slow claims sources (issue server/704).

  • Updates the op.httpClaimsSource.supportedClaims documentation to explain that setting the property to "*" indicates support for all claims supported by the OpenID provider without explicitly listing them (issue server/703).

Dependency changes

  • Updates Log4j to 12.5.0

  • Updates to com.nimbusds:oidc-claims-source-http:2.2.1