Is FreeIPA affected by Log4Shell vulnerability

Hey folks,

I am trying to confirm if FreeIPA is affected by the Shell4Log vulnerability (CVE-2021-44228).

Is this a right forum to confirm ?

It is not. The only component of FreeIPA that uses Java is the Dogtag PKI certificate system, and that isn’t configured to use log4j — although it can be. There is an update out for Fedora Linux 35 already, but if you’re on Fedora Linux 34 that patch is still in progress, so in that case if you’ve configured Dogtag to use log4j for some reason, you’ll want to employ some of the mitigations.

See thread here: [Freeipa-users] Re: CVE-2021-44228 log4j2 Vulnerbility | FreeIPA version 4.6.8 - FreeIPA-users - Fedora Mailing-Lists


Thanks @mattdm