Re: [cas-user] log4j vulnerability remediation

Joe Manavalan Tue, 14 Dec 2021 10:09:34 -0800

Thanks @ robertoschwald

That worked for me as well


build.gradle
-------------------
dependencies {
    compile "org.apache.logging.log4j:log4j-api:2.15.0"
    compile "org.apache.logging.log4j:log4j-core:2.15.0"
    compile "org.apache.logging.log4j:log4j-jcl:2.15.0"
    compile "org.apache.logging.log4j:log4j-jul:2.15.0"
    compile "org.apache.logging.log4j:log4j-web:2.15.0"
    compile "org.apache.logging.log4j:log4j-slf4j18-impl:2.15.0"
}

bootWar {
    entryCompression = ZipEntryCompression.STORED
    overlays {
        cas {
            from "org.apereo.cas:cas-server-webapp${project.appServer}:${
casServerVersion}@war"
            provided = false
            excludes = ["WEB-INF/lib/log4j-*-2.12.1.jar"]
        }
    }
}

On Tuesday, December 14, 2021 at 10:41:32 AM UTC-6 robertoschwald wrote:

> We had the same problem and we did the following:
>
> 1. Overwrite BOM defined version in gradle.properties
>
> # BOM overwritten versions
> # CVE-2021-44228 critical fix in 2.15.0.
> # 2.16.0 further secures.
> # See https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
> log4j2.version=2.16.0
>
> 2. add the dependencies to build.gradle
> We use a fairly old CAS Server, so we use these deps. Normally, you do not 
> have to state the ones which have no version, are taken with the version 
> you defined in log4j2.version variable, but we stated them explicitly, so 
> one knows what artifacts are affected.
>
> // Log4j2 critical security flaw fixed in 2.15.0
> compile "org.apache.logging.log4j:log4j-api"
> compile "org.apache.logging.log4j:log4j-core"
> compile "org.apache.logging.log4j:log4j-jcl:${project.'log4j2.version'}"
> compile "org.apache.logging.log4j:log4j-slf4j-impl"
> compile "org.apache.logging.log4j:log4j-web:${project.'log4j2.version’}"
>
> 3. Exclude the old dependencies from war-overlay
> This is an important step.
> As you get the dependencies from the original, overlayed war file, you 
> must exclude them in the war task, so only your versions are taken.
>
> war {
> ...
>   // exclusion list of all dependencies contained in the original cas-WAR 
> for which we use newer versions.
>   // You must exclude all of them, otherwise we get duplicate dependencies 
> in our cas.war !
>   // log4j2 insecure version remove. See above.
>   exclude "WEB-INF/lib/log4j-*-2.12.1.jar"
>   exclude "WEB-INF/lib/jul-to-slf4j-1.7.32.jar"
>   exclude "WEB-INF/lib/slf4j-api-1.7.32.jar"
> }
>
> Hope that helps.
>
>
>
> Am 14.12.2021 um 17:25 schrieb Jeffrey Ramsay <[email protected]>:
>
> Same experience.
>
> On Tue, Dec 14, 2021 at 11:02 AM apereo_cas_user <[email protected]> 
> wrote:
>
>> We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
>> authentication.
>> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and 
>> bounced tomcat.
>> Is there a way we can exclude 2.12.1 from the build . [I can pull in 
>> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues 
>> when upgrading to 6.3.7.2 
>>
>> Thanks
>>
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to [email protected].
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to [email protected].
>
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com
>  
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1a08a9b3-c08a-4d89-8346-e69cab47eca2n%40apereo.org.

Re: [cas-user] log4j vulnerability remediation

Reply via email to