Thank you (!) for such a detailed response. We're (heavily) testing the
resulting overlay and will update the list here with the end result.
Best,
Bert
On Friday, April 8, 2022 at 11:17:35 AM UTC-4 randomuser878 wrote:
> You could try
> gradle.properties
> log4j2.version=2.17.1
> spring.version=5.2.20.RELEASE
> spring.securitycas.version=5.2.15.RELEASE
>
> build.gradle
> def log4JVersion = project.'log4j2.version'
> def springVersion = project.'spring.version'
> def springSecurityCasVersion = project.'spring.securitycas.version'
>
> dependencies {
> ....
> // Override the log4J vulnerability, back-port
> compile "org.apache.logging.log4j:log4j-api:${log4JVersion}"
> compile "org.apache.logging.log4j:log4j-core:${log4JVersion}"
> compile "org.apache.logging.log4j:log4j-jcl:${log4JVersion}"
> compile "org.apache.logging.log4j:log4j-jul:${log4JVersion}"
> compile "org.apache.logging.log4j:log4j-slf4j-impl:${log4JVersion}"
> compile "org.apache.logging.log4j:log4j-web:${log4JVersion}"
>
> compile "org.springframework:spring-aop:${springVersion}"
> compile "org.springframework:spring-beans:${springVersion}"
> compile "org.springframework:spring-context:${springVersion}"
> compile "org.springframework:spring-context-support:${springVersion}"
> compile "org.springframework:spring-core:${springVersion}"
> compile "org.springframework:spring-expression:${springVersion}"
> compile "org.springframework:spring-jcl:${springVersion}"
> compile "org.springframework:spring-jdbc:${springVersion}"
> compile "org.springframework:spring-jms:${springVersion}"
> compile "org.springframework:spring-messaging:${springVersion}"
> compile "org.springframework:spring-orm:${springVersion}"
> compile "org.springframework:spring-oxm:${springVersion}"
>
> compile
> "org.springframework.security:spring-security-cas:${springSecurityCasVersion}"
> compile
> "org.springframework.security:spring-security-config:${springSecurityCasVersion}"
> compile
> "org.springframework.security:spring-security-core:${springSecurityCasVersion}"
> compile
> "org.springframework.security:spring-security-crypto:${springSecurityCasVersion}"
> compile
> "org.springframework.security:spring-security-web:${springSecurityCasVersion}"
> compile "org.springframework:spring-tx:${springVersion}"
> compile "org.springframework:spring-web:${springVersion}"
> compile "org.springframework:spring-webmvc:${springVersion}"
>
> .....
>
> bootWar {
> entryCompression = ZipEntryCompression.STORED
> overlays {
> cas {
> from
> "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war"
> provided = false
> excludes = ["WEB-INF/lib/log4j-*-2.12.1.jar",
> "WEB-INF/lib/spring-*-5.2.0.RELEASE.jar"]
> }
> }
> }
>
>
> And heavy unit test...
> Good luck
> On Wednesday, April 6, 2022 at 10:55:58 PM UTC-4 Bert Bee-Lindgren wrote:
>
>> [We're working on upgrading from (heavily backported-patched) CAS 6.1 to
>> something supported by the OS project. In the meantime....]
>>
>> We know our CAS 6.1 system is using SpringFramework 5.2.0 but is not
>> directly vulnerable to the CVE-2022-22965 (not deployed as a .war in
>> Tomcat). Nevertheless, we would like to start testing a SpringFramework
>> upgrade to avoid future ways of reaching the vulnerability.
>>
>> The normal way would be to change our SpringBoot dependency, but CAS6.1
>> uses SB2.2.4 and moving it to SB2.5.12 seems like a BIG jump. The
>> SpringFramework upgrade from 5.2.0 to 5.2.20 seems preferable given it
>> stays within the 5.2 release.
>>
>> To try to accomplish a SpringFramework upgrade, we've tried
>> "springVersion=5.2.20" in gradle.properties, but the resulting project
>> still seemed to be using 5.2.0.
>>
>> Does anyone have advice on how to proceed?
>> -Upgrade SpringBoot from 2.2.4 to 2.5.12 (easy to do, worried it isn't
>> likely to work)
>> -Upgrade SpringFramework from 5.2.0 --> 5.2.20 (we don't know how to do
>> this)
>> -Something else?
>>
>> Thank you,
>> Bert Bee-Lindgren
>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/10654600-3868-4736-b64a-9c223012aae8n%40apereo.org.
