Is LinOTP vulnerable to log4j exploits?

LinOTP / LinOTP

LinOTP - the open source solution for two factor authentication

GNU Affero General Public License v3.0

518 stars 122 forks source link

Is LinOTP vulnerable to log4j exploits? #173

Open Subramanian-ERS opened 2 years ago

Subramanian-ERS commented 2 years ago

Hello Team,

I have installed LinOTP on my Amazon Linux machine using yum, and am using it for 2FA in our organization. I can see that LinOTP does not use Java. But I would like to confirm that LinOTP does not use log4j? If it is used, is LinOTP vulnerable to the log4j zero day exploits?

authprivsec commented 2 years ago

LinOTP and the underlying software stack are NOT compromised by CVE-2021-44228 according to our current analysis.

LinOTP and the LinOTP Smart Virtual Appliance do not use Java or Java libraries and are therefore NOT vulnerable to CVE-2021-44228 according to current information.

Since our LinOTP server products do not contain any Java components, we currently also assume that it is very unlikely that this assessment will change.