Connect2id server 12.5.1 security update addressing Log4j CVE-2021-44228 (Log4Shell)
This release of the Connect2id server addresses the critical CVE-2021-44228 vulnerability announced today in the open source Log4j library which is used to handle logging, by updating Log4j to the fixed 2.15.0 version.
As explained today in the initial security notification email, all Connect2id server v12.x through v7.x deployments can prevent the vulnerability by simply setting the following Java system property:
The setting of Java system properties is deployment specific. The various methods to do that, depending on whether you are using a container environment or some other deployment type, are explained in this guide.
Upgrading to 12.5.1 release is still recommended.
Next week we hope to have the results of an assessment whether the Connect2id server could have potentially been vulnerable due to this bug, which existed in Log4j for several years.
Note, the open source Nimbus JOSE+JWT library and the OAuth 2.0 / OpenID Connect SDK are not impacted by CVE-2021-44228 as they don't perform internal logging (subject to policy).
This release also include several other small updates which were initially planned for 12.6 later this month.
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 12.5.1: Connect2id-server.zip
Connect2id server 12.5.1 WAR package: c2id.war
Apache Tomcat package with Connect2id server 12.5.1: Connect2id-server-mt.zip
Connect2id server 12.5.1 WAR package: c2id-multi-tenant.war
Contact Connect2id support.
Updates Log4j to 12.5.0 to address a critical vulnerability described in CVE 2021-44228, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-44228 (issue server/707).
Logs a WARN instead of INFO for OP5114 when the op.reg.allowLocalhostRedirectionURIsForTest configuration property is enabled (issue server/702).
Increases the default HTTP claims source op.httpClaimsSource.connectTimeout and op.httpClaimsSource.readTimeout values from 250ms to 1000ms to prevent timeouts on slow HTTP connections or slow claims sources (issue server/704).
Updates the op.httpClaimsSource.supportedClaims documentation to explain that setting the property to "*" indicates support for all claims supported by the OpenID provider without explicitly listing them (issue server/703).
Updates Log4j to 12.5.0
Updates to com.nimbusds:oidc-claims-source-http:2.2.1