Hi Tasha Koha itself doesnt, but if you are using ElasticSearch as the search engine that does, so you will want to patch your ElasticSearch servers. You are correct there is a mention of log4j in the shibboleth config, but it doesn't use log4j. "Shibboleth does not use log4j. We ship a bridge for it to slf4j but that's not vulnerable, the bug is in log4j itself. We allow (in theory) the IdP to be manipulated to log to log4j through the slf4j API but we don't ship that or provide any code or examples for doing that." https://shibboleth.net/pipermail/announce/2021-December/000253.html Chris On 14/12/21 2:16 pm, Bales (US), Tasha R wrote:
Is Koha impacted by the log4j issue?
https://www.zdnet.com/article/log4j-zero-day-flaw-what-you-need-to-know-and-...
The Koha Wiki makes minor use of the characters "log4j" in an article about Shibboleth configuration.
Apologies if this is an inappropriate email. I've been advised to either patch or turn my server off this week if there is an impact. I've found various advice suggesting to do x, y, z to see if log4j is installed, then contrary advice that suggests that x, y, z may not be adequate. I am wholly unqualified to make inferences, so thought it best to ask the "source".
Thanks.
Tasha Bales Enterprise Services http://isesi.web.boeing.com/
Library Services Catalog upgrade is coming! For the latest news and FAQ regarding the upgrade, see Library Announcements<http://library.web.boeing.com/help/announcements.html>. Questions? Please contact library@boeing.com<mailto:library@boeing.com>.
_______________________________________________
Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha