[cas-user] Re: CAS 6.4

2021-12-11 Thread Jeffrey Ramsay 
I added some additional repositories and that solved the problem.

maven {
url "https://maven.repository.redhat.com/ga/;
}
maven {
url "https://repo1.maven.org/maven2/;
}

-Jeff

On Sat, Dec 11, 2021 at 10:54 AM Jeffrey Ramsay 
wrote:

> Hello -
>
> I need some help to resolve the following in a new build. The problem is
> only occurring when I try to add support for the "implementation
> "org.apereo.cas:cas-server-support-radius-mfa"" module. What do I need to
> do to add the missing library?
>
> Execution failed for task ':bootWarMainClassName'.
> > Could not resolve all files for configuration ':runtimeClasspath'.
>> Could not find gnu-getopt:getopt:1.0.13.
>  Required by:
>  project : >  org.apereo.cas:cas-server-support-radius-core:6.4.4
> > net.jradius:jradius-apps:1.1.5
>
> ---
>
> My current setup ...
>
> build.gradle:
> -
> dependencies {
> /**
>  * CAS dependencies and modules may be listed here.
>  *
>  * There is no need to specify the version number for each dependency
>  * since versions are all resolved and controlled by the dependency
> management
>  * plugin via the CAS bom.
>  **/
>
> implementation "org.apereo.cas:cas-server-core-api-configuration-model"
> implementation "org.apereo.cas:cas-server-webapp-init"
>
> implementation "org.apereo.cas:cas-server-support-jdbc"
> implementation "org.apereo.cas:cas-server-support-jdbc-drivers"
> implementation "org.apereo.cas:cas-server-support-ldap"
> implementation "org.apereo.cas:cas-server-support-saml"
> implementation "org.apereo.cas:cas-server-support-saml-idp"
> implementation "org.apereo.cas:cas-server-support-jpa-service-registry"
> implementation
> "org.apereo.cas:cas-server-support-memcached-ticket-registry"
> implementation "org.apereo.cas:cas-server-support-memcached-spy"
> implementation "org.apereo.cas:cas-server-support-generic"
> implementation "org.apereo.cas:cas-server-support-actions"
> implementation "org.apereo.cas:cas-server-core-api-authentication"
> implementation "org.apereo.cas:cas-server-core-authentication-api"
> implementation "org.apereo.cas:cas-server-core-authentication"
> implementation
> "org.apereo.cas:cas-server-core-authentication-attributes"
> implementation "org.apereo.cas:cas-server-core-services-authentication"
> implementation "org.apereo.cas:cas-server-core-configuration"
> implementation "org.apereo.cas:cas-server-core-configuration-api"
> implementation "org.apereo.cas:cas-server-support-jdbc-authentication"
> implementation "org.apereo.cas:cas-server-core-util-api"
> implementation "org.apereo.cas:cas-server-support-radius"
> implementation "org.apereo.cas:cas-server-support-radius-core"
> implementation "org.apereo.cas:cas-server-support-radius-mfa"
> implementation "org.apereo.cas:cas-server-support-oidc"
>
> if (project.hasProperty("casModules")) {
> def dependencies = project.getProperty("casModules").split(",")
> dependencies.each {
> def projectsToAdd = rootProject.subprojects.findAll {project ->
> project.name == "cas-server-core-${it}" || project.name
> == "cas-server-support-${it}"
> }
> projectsToAdd.each {implementation it}
> }
> }
>
> --
>
> $ ./gradlew clean build
> To honour the JVM settings for this build a single-use Daemon process will
> be forked. See
> https://docs.gradle.org/7.3.1/userguide/gradle_daemon.html#sec:disabling_the_daemon
> .
> Daemon will be stopped at the end of the build
> > Task :bootWarMainClassName FAILED
>
> FAILURE: Build failed with an exception.
>
> * What went wrong:
> Execution failed for task ':bootWarMainClassName'.
> > Could not resolve all files for configuration ':runtimeClasspath'.
>> Could not find gnu-getopt:getopt:1.0.13.
>  Required by:
>  project : > org.apereo.cas:cas-server-support-radius-core:6.4.4 >
> net.jradius:jradius-apps:1.1.5
>
> * Try:
> > Run with --stacktrace option to get the stack trace.
> > Run with --info or --debug option to get more log output.
> > Run with --scan to get full insights.
>
> * Get more help at https://help.gradle.org
>
> Deprecated Gradle features were used in this build, making it incompatible
> with Gradle 8.0.
>
> You can use '--warning-mode all' to show the individual deprecation
> warnings and determine if they come from your own scripts or plugins.
>
> See
> https://docs.gradle.org/7.3.1/userguide/command_line_interface.html#sec:command_line_warnings
>
> BUILD FAILED in 18s
> 8 actionable tasks: 8 executed
>
> Thanks,
> -Jeff
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the

[cas-user] CAS 6.4

2021-12-11 Thread Jeffrey Ramsay 
Hello -

I need some help to resolve the following in a new build. The problem is
only occurring when I try to add support for the "implementation
"org.apereo.cas:cas-server-support-radius-mfa"" module. What do I need to
do to add the missing library?

Execution failed for task ':bootWarMainClassName'.
> Could not resolve all files for configuration ':runtimeClasspath'.
   > Could not find gnu-getopt:getopt:1.0.13.
 Required by:
 project : >  org.apereo.cas:cas-server-support-radius-core:6.4.4 >
net.jradius:jradius-apps:1.1.5

---

My current setup ...

build.gradle:
-
dependencies {
/**
 * CAS dependencies and modules may be listed here.
 *
 * There is no need to specify the version number for each dependency
 * since versions are all resolved and controlled by the dependency
management
 * plugin via the CAS bom.
 **/

implementation "org.apereo.cas:cas-server-core-api-configuration-model"
implementation "org.apereo.cas:cas-server-webapp-init"

implementation "org.apereo.cas:cas-server-support-jdbc"
implementation "org.apereo.cas:cas-server-support-jdbc-drivers"
implementation "org.apereo.cas:cas-server-support-ldap"
implementation "org.apereo.cas:cas-server-support-saml"
implementation "org.apereo.cas:cas-server-support-saml-idp"
implementation "org.apereo.cas:cas-server-support-jpa-service-registry"
implementation
"org.apereo.cas:cas-server-support-memcached-ticket-registry"
implementation "org.apereo.cas:cas-server-support-memcached-spy"
implementation "org.apereo.cas:cas-server-support-generic"
implementation "org.apereo.cas:cas-server-support-actions"
implementation "org.apereo.cas:cas-server-core-api-authentication"
implementation "org.apereo.cas:cas-server-core-authentication-api"
implementation "org.apereo.cas:cas-server-core-authentication"
implementation
"org.apereo.cas:cas-server-core-authentication-attributes"
implementation "org.apereo.cas:cas-server-core-services-authentication"
implementation "org.apereo.cas:cas-server-core-configuration"
implementation "org.apereo.cas:cas-server-core-configuration-api"
implementation "org.apereo.cas:cas-server-support-jdbc-authentication"
implementation "org.apereo.cas:cas-server-core-util-api"
implementation "org.apereo.cas:cas-server-support-radius"
implementation "org.apereo.cas:cas-server-support-radius-core"
implementation "org.apereo.cas:cas-server-support-radius-mfa"
implementation "org.apereo.cas:cas-server-support-oidc"

if (project.hasProperty("casModules")) {
def dependencies = project.getProperty("casModules").split(",")
dependencies.each {
def projectsToAdd = rootProject.subprojects.findAll {project ->
project.name == "cas-server-core-${it}" || project.name ==
"cas-server-support-${it}"
}
projectsToAdd.each {implementation it}
}
}

--

$ ./gradlew clean build
To honour the JVM settings for this build a single-use Daemon process will
be forked. See
https://docs.gradle.org/7.3.1/userguide/gradle_daemon.html#sec:disabling_the_daemon
.
Daemon will be stopped at the end of the build
> Task :bootWarMainClassName FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':bootWarMainClassName'.
> Could not resolve all files for configuration ':runtimeClasspath'.
   > Could not find gnu-getopt:getopt:1.0.13.
 Required by:
 project : > org.apereo.cas:cas-server-support-radius-core:6.4.4 >
net.jradius:jradius-apps:1.1.5

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

Deprecated Gradle features were used in this build, making it incompatible
with Gradle 8.0.

You can use '--warning-mode all' to show the individual deprecation
warnings and determine if they come from your own scripts or plugins.

See
https://docs.gradle.org/7.3.1/userguide/command_line_interface.html#sec:command_line_warnings

BUILD FAILED in 18s
8 actionable tasks: 8 executed

Thanks,
-Jeff

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOS%2BQ%2Bs3xuor4wh0c2aimO0BQMiYUnjorQXGih0ZYzqgJA%40mail.gmail.com.

Re: [cas-user] log4j2 vulnerability

2021-12-11 Thread Robert Oschwald 
Jdk 1.8 192 or newer or jdk11 11.0.2 or newer are not affected it seems, as 
JNDI lookups are disabled there by default.

https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228



Sent while mobile.

> Am 11.12.2021 um 13:44 schrieb Anders Collstrup :
> 
> 
> My fix was the following:
> 
> CAS 6.1 running on debian 10. All except CAS installed from standard repo's
> 
> created this file:
> /usr/share/tomcat9/bin/setenv.sh
> 
> containing::
> JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"
> 
> After restart of tomcat I could see the following in the log:
> 10-Dec-2021 18:49:18.681 INFO [main] 
> org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
> -Dlog4j2.formatMsgNoLookups=True
> 
>> On Fri, Dec 10, 2021 at 7:37 PM Manuel Cones  wrote:
>> Hello, due the recent discovered log4j2 vulnerability, whats the way to 
>> mitigate it?
>> 
>> 
>> should i add log4j2.formatMsgNoLookups=true to the cas.properties file?
>> 
>> Thanks in Advance,
>> Manuel.
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae1c7b48-1c3e-4c3c-b762-f5a8e5794df9n%40apereo.org.
> 
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BMOL%2B%3DpjJ2JgE%2BOL7X4RibLSjWe8KQAKt13Q1npJj_g21VoCA%40mail.gmail.com.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/D71FB144-5859-4D97-97B8-F363CBBE8256%40gmail.com.

Re: [EXTERNAL SENDER] Re: [cas-user] log4j vulnerability

2021-12-11 Thread Anders Collstrup 
My fix was the following:

CAS 6.1 running on debian 10. All except CAS installed from standard repo's

created this file:
/usr/share/tomcat9/bin/setenv.sh

containing::
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"

After restart of tomcat I could see the following in the log:
10-Dec-2021 18:49:18.681 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Dlog4j2.formatMsgNoLookups=True

On Fri, Dec 10, 2021 at 9:01 PM King, Robert  wrote:

> Just rolled out this mitigation to our servers, seems to be effective for
> CAS 6.3.x builds.
>
>
>
> Our environment for reference:
>
>
>
> - Standalone Tomcat
>
> - OpenJDK
>
> - CAS and CAS-Management as deployed jars
>
> - CAS and CAS-Mangement built from cas-overlay and cas-management-overlay
> repos.
>
>
>
> Mitigated by adding “-Dlog4j2.FormatMsgNoLookups=true” into the Tomcat
> startup in systemd tomcat.service file.
>
>
>
>
>
> *From:* 'Richard Frovarp' via CAS Community 
> *Sent:* Friday, December 10, 2021 3:29 PM
> *To:* cas-user@apereo.org
> *Subject:* [EXTERNAL SENDER] Re: [cas-user] log4j vulnerability
>
>
>
> Maybe? The one that I've seen
>
> https://logging.apache.org/log4j/2.x/security.html
>
>
>
> says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to
> your JVM and not in the config file.
>
>
>
> On 12/10/21 12:55 PM, Mike Osterman wrote:
>
> Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in
> the log4j2.xml config file might do to trick.
>
>
>
> I'm guessing we'd do that somewhere here at the top?
>
>
>
> 
> 
> 
> 
> /etc/cas/logs
> 
> 
>
>
>
> On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community <
> cas-user@apereo.org> wrote:
>
> Using a new enough version of the JDK might also alleviate it? The other
> option is to throw the config option at the JDK to stop it from happening.
> That would seem to be easiest.
>
>
>
> On 12/10/21 12:36 PM, King, Robert wrote:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
>
>
>
> Has anyone attempted to mitigate this CVE yet?
>
>
>
> There seems to be two possible approaches to mitigation:
>
>
>
> 1 The sledgehammer approach of removing the JndiLookup.class from the jar
> files:
>
>
>
> zip –q –d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class
>
>
>
> 2. Rebuild CAS and set “log4jVersion=2.15.0”
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca
> 
> .
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu
> 
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com
> 
> .
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
>

Re: [cas-user] log4j2 vulnerability

2021-12-11 Thread Anders Collstrup 
My fix was the following:

CAS 6.1 running on debian 10. All except CAS installed from standard repo's

created this file:
/usr/share/tomcat9/bin/setenv.sh

containing::
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"

After restart of tomcat I could see the following in the log:
10-Dec-2021 18:49:18.681 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Dlog4j2.formatMsgNoLookups=True

On Fri, Dec 10, 2021 at 7:37 PM Manuel Cones  wrote:

> Hello, due the recent discovered log4j2 vulnerability, whats the way to
> mitigate it?
>
>
> should i add log4j2.formatMsgNoLookups=true to the cas.properties file?
>
> Thanks in Advance,
> Manuel.
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae1c7b48-1c3e-4c3c-b762-f5a8e5794df9n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BMOL%2B%3DpjJ2JgE%2BOL7X4RibLSjWe8KQAKt13Q1npJj_g21VoCA%40mail.gmail.com.