...
Please note that the IdP does not, and will never, require write access to its configuration. Many potential vulnerabilities may rely on elevation of privilege by leveraging one bug to make a change to a configuration file that in turn exposes the system to an RCE. It is a good idea to make sure the configuration is owned by a different account than the one used to run the IdP’s JVM, and so make the configuration read-only. Just making the files read-only is not sufficient since ownership is enough to allow the mode to be changed back. This is not new, and is very general advice, but it’s worth remembering.
The version of Jetty provided with the Windows installer has been refreshed to the latest 9.4 revision. Note that some earlier versions dating back to 9.4.39 and possibly some later revisions exhibited a bug on Linux observed to cause low priority CPU exhaustion (noticeable but not such that higher priority activity would be interrupted). This issue resolved itself with the version included in this release. It is unknown to what extent this issue may or may not impact Windows.
4.1.4 (July 27, 2021)
This is a patch release that supersedes V4.1.3 and fixes a regression introduced into that version.
...