We had the same problem and we did the following: 1. Overwrite BOM defined version in gradle.properties
# BOM overwritten versions # CVE-2021-44228 critical fix in 2.15.0. # 2.16.0 further secures. # See https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4 log4j2.version=2.16.0 2. add the dependencies to build.gradle We use a fairly old CAS Server, so we use these deps. Normally, you do not have to state the ones which have no version, are taken with the version you defined in log4j2.version variable, but we stated them explicitly, so one knows what artifacts are affected. // Log4j2 critical security flaw fixed in 2.15.0 compile "org.apache.logging.log4j:log4j-api" compile "org.apache.logging.log4j:log4j-core" compile "org.apache.logging.log4j:log4j-jcl:${project.'log4j2.version'}" compile "org.apache.logging.log4j:log4j-slf4j-impl" compile "org.apache.logging.log4j:log4j-web:${project.'log4j2.version’}" 3. Exclude the old dependencies from war-overlay This is an important step. As you get the dependencies from the original, overlayed war file, you must exclude them in the war task, so only your versions are taken. war { ... // exclusion list of all dependencies contained in the original cas-WAR for which we use newer versions. // You must exclude all of them, otherwise we get duplicate dependencies in our cas.war ! // log4j2 insecure version remove. See above. exclude "WEB-INF/lib/log4j-*-2.12.1.jar" exclude "WEB-INF/lib/jul-to-slf4j-1.7.32.jar" exclude "WEB-INF/lib/slf4j-api-1.7.32.jar" } Hope that helps. > Am 14.12.2021 um 17:25 schrieb Jeffrey Ramsay <jeffrey.ram...@gmail.com>: > > Same experience. > > On Tue, Dec 14, 2021 at 11:02 AM apereo_cas_user <anamikagene...@gmail.com > <mailto:anamikagene...@gmail.com>> wrote: > We use cas 6.1.7 overlay template [still in pre-prod] for delegated > authentication. > As a temp solution we replaced log4j 2.12.1 with 2.15.0 manually and bounced > tomcat. > Is there a way we can exclude 2.12.1 from the build . [I can pull in 2.15.0 > by adding in build.gradle but conflict with 2.12.1]. We have issues when > upgrading to 6.3.7.2 > > Thanks > > > -- > - Website: https://apereo.github.io/cas <https://apereo.github.io/cas> > - Gitter Chatroom: https://gitter.im/apereo/cas <https://gitter.im/apereo/cas> > - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7> > - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG> > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org?utm_medium=email&utm_source=footer>. > > -- > - Website: https://apereo.github.io/cas <https://apereo.github.io/cas> > - Gitter Chatroom: https://gitter.im/apereo/cas <https://gitter.im/apereo/cas> > - List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7> > - Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG> > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/A6D22B3F-1993-4D04-A604-59DE522768B6%40gmail.com.
