Closed networksecurityvodoo closed 2 years ago
If you use any of these libraries there is a possibility you could be impacted :: https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/usages
@pryorda Thanks for the hint.
I finally found time to test my assumption.
First I tried myself if recent Keycloak Standalone responds to the vulnerabiltity. This wasn't the case for Registration and Login. (Screen attached)
When i searched further I stumbled upon the official Announcement of the Keycloak Core Development Team:
https://github.com/keycloak/keycloak/discussions/9078
So it seems that your Keycloak IDP is save if you didn't use these APIs in your own SPIs. (Or somebody in an SPI provided by him.)
@YfryTchsGD The IDM Keycloak should be added with FALSE and NOTE "See https://github.com/keycloak/keycloak/discussions/9078" to the List.
The Opensource IAM Keycloak does not seem to be affected by the log4j vulnerability.
If you check the pom.xml of the Core Build it states org.jboss.logging is used for logging.
Source: https://mvnrepository.com/artifact/org.jboss.logging/jboss-logging