jopple
commented
2 years ago No comment on FreeIPA but scroll down to the closed issue re Tomcat if that's what is causing you the most concern about FreeIPA
Open christheradioguy opened 2 years ago
jopple
commented
2 years ago No comment on FreeIPA but scroll down to the closed issue re Tomcat if that's what is causing you the most concern about FreeIPA
christheradioguy
commented
2 years ago Thanks, looks like the default tomcat configuration does use log4j (at least there exists a log4j.jar and log4j.propeties file) but disabling it doesn't seem to have any ill effect.
I know FreeIPA runs Tomcat which I believe is vulnerable. I haven't been able to reproduce the vulnerability by injecting headers or POST data, but am curious if anyone has been able to confirm one way or another if FreeIPA is vulnerable or not.