Newer version of the JDK are still affected. The newer JDK versions stop JNDI from running remote code, it doesn't stop JNDI lookup. An attacker can still exfil data through the DNS lookup. Also, there are other paths to exploit with this attack. It was first found via JNDI LDAP to execute remote code. There is now a known path using classes present in Apache Tomcat. There will be more that are found. Update Log4j or put the environment variable in. ________________________________ From: [email protected] <[email protected]> on behalf of Robert Oschwald <[email protected]> Sent: Saturday, December 11, 2021 09:24 To: [email protected] <[email protected]> Subject: Re: [cas-user] log4j2 vulnerability
Jdk 1.8 192 or newer or jdk11 11.0.2 or newer are not affected it seems, as JNDI lookups are disabled there by default. https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228 Sent while mobile. Am 11.12.2021 um 13:44 schrieb Anders Collstrup <[email protected]>: My fix was the following: CAS 6.1 running on debian 10. All except CAS installed from standard repo's created this file: /usr/share/tomcat9/bin/setenv.sh containing:: JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True" After restart of tomcat I could see the following in the log: 10-Dec-2021 18:49:18.681 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dlog4j2.formatMsgNoLookups=True On Fri, Dec 10, 2021 at 7:37 PM Manuel Cones <[email protected]<mailto:[email protected]>> wrote: Hello, due the recent discovered log4j2 vulnerability, whats the way to mitigate it? should i add log4j2.formatMsgNoLookups=true to the cas.properties file? Thanks in Advance, Manuel. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae1c7b48-1c3e-4c3c-b762-f5a8e5794df9n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae1c7b48-1c3e-4c3c-b762-f5a8e5794df9n%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BMOL%2B%3DpjJ2JgE%2BOL7X4RibLSjWe8KQAKt13Q1npJj_g21VoCA%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BMOL%2B%3DpjJ2JgE%2BOL7X4RibLSjWe8KQAKt13Q1npJj_g21VoCA%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/D71FB144-5859-4D97-97B8-F363CBBE8256%40gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/D71FB144-5859-4D97-97B8-F363CBBE8256%40gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM5PR08MB2778F3CA314A919997DCE15F8B739%40DM5PR08MB2778.namprd08.prod.outlook.com.
