My fix was the following: CAS 6.1 running on debian 10. All except CAS installed from standard repo's
created this file: /usr/share/tomcat9/bin/setenv.sh containing:: JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True" After restart of tomcat I could see the following in the log: 10-Dec-2021 18:49:18.681 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dlog4j2.formatMsgNoLookups=True On Fri, Dec 10, 2021 at 9:01 PM King, Robert <[email protected]> wrote: > Just rolled out this mitigation to our servers, seems to be effective for > CAS 6.3.x builds. > > > > Our environment for reference: > > > > - Standalone Tomcat > > - OpenJDK > > - CAS and CAS-Management as deployed jars > > - CAS and CAS-Mangement built from cas-overlay and cas-management-overlay > repos. > > > > Mitigated by adding “-Dlog4j2.FormatMsgNoLookups=true” into the Tomcat > startup in systemd tomcat.service file. > > > > > > *From:* 'Richard Frovarp' via CAS Community <[email protected]> > *Sent:* Friday, December 10, 2021 3:29 PM > *To:* [email protected] > *Subject:* [EXTERNAL SENDER] Re: [cas-user] log4j vulnerability > > > > Maybe? The one that I've seen > > https://logging.apache.org/log4j/2.x/security.html > > > > says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to > your JVM and not in the config file. > > > > On 12/10/21 12:55 PM, Mike Osterman wrote: > > Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in > the log4j2.xml config file might do to trick. > > > > I'm guessing we'd do that somewhere here at the top? > > > > <?xml version="1.0" encoding="UTF-8" ?> > <!-- Specify the refresh internal in seconds. --> > <Configuration monitorInterval="5" packages="org.apereo.cas.logging"> > <Properties> > <Property name="baseDir">/etc/cas/logs</Property> > </Properties> > <Appenders> > > > > On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community < > [email protected]> wrote: > > Using a new enough version of the JDK might also alleviate it? The other > option is to throw the config option at the JDK to stop it from happening. > That would seem to be easiest. > > > > On 12/10/21 12:36 PM, King, Robert wrote: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 > > > > Has anyone attempted to mitigate this CVE yet? > > > > There seems to be two possible approaches to mitigation: > > > > 1 The sledgehammer approach of removing the JndiLookup.class from the jar > files: > > > > zip –q –d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class > > > > 2. Rebuild CAS and set “log4jVersion=2.15.0” > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca?utm_medium=email&utm_source=footer> > . > > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/67916862-8f31-e08c-1949-86a97958ba36%40ndsu.edu > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/67916862-8f31-e08c-1949-86a97958ba36%40ndsu.edu?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/b01416e5aefd4cb6aba835240836244d%40mun.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b01416e5aefd4cb6aba835240836244d%40mun.ca?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BMOL%2BnaamaafyVB2CJiiXRx_K%2BpmZX9N9k2RYWyDrzwvA45Og%40mail.gmail.com.
