Re: [cas-user] log4j vulnerability remediation

[Baba Ndiaye]

Yes new update for cas-overlay-template

Le ven. 31 déc. 2021 à 07:12, Andy Ng  a écrit :

> And... 2.17.1 is out as well.
>
> On Tuesday, 21 December 2021 at 03:50:00 UTC+8 Pablo Vidaurri wrote:
>
>>
>> 2.17.0 is actually out now
>> On Thursday, December 16, 2021 at 2:27:13 PM UTC-6 Raph C wrote:
>>
>>> Hi,
>>>
>>> You have to exclude log4j* from WEB-INF/lib form overlay plugin and add
>>> correct version as dependency( use 2.16.0 instead, a new CVE appeared on
>>> Tuesday)
>>> Regards,
>>>
>>> Le mar. 14 déc. 2021 à 17:02, apereo_cas_user  a
>>> écrit :
>>>
 We use cas 6.1.7  overlay template [still in pre-prod] for delegated
 authentication.
 As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and
 bounced tomcat.
 Is there a way we can exclude 2.12.1 from the build . [I can pull in
 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues
 when upgrading to 6.3.7.2

 Thanks

 --
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 ---
 You received this message because you are subscribed to the Google
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to cas-user+u...@apereo.org.

>>> To view this discussion on the web visit
 https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
 
 .

>>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5fb5c6d4-0a05-4f00-a4a1-a1afa89cce21n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFu1ZRukRcZnJHGKtqp4OKU8%3DxV%3DGyROj6SGX3%2BHWx7ExQQKVA%40mail.gmail.com.

Re: [cas-user] log4j vulnerability remediation

[Andy Ng]

And... 2.17.1 is out as well.

On Tuesday, 21 December 2021 at 03:50:00 UTC+8 Pablo Vidaurri wrote:

>
> 2.17.0 is actually out now
> On Thursday, December 16, 2021 at 2:27:13 PM UTC-6 Raph C wrote:
>
>> Hi,
>>
>> You have to exclude log4j* from WEB-INF/lib form overlay plugin and add 
>> correct version as dependency( use 2.16.0 instead, a new CVE appeared on 
>> Tuesday)
>> Regards,
>>
>> Le mar. 14 déc. 2021 à 17:02, apereo_cas_user  a 
>> écrit :
>>
>>> We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
>>> authentication.
>>> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and 
>>> bounced tomcat.
>>> Is there a way we can exclude 2.12.1 from the build . [I can pull in 
>>> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues 
>>> when upgrading to 6.3.7.2 
>>>
>>> Thanks
>>>
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>>
>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
>>>  
>>> 
>>> .
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5fb5c6d4-0a05-4f00-a4a1-a1afa89cce21n%40apereo.org.

Re: [cas-user] log4j vulnerability remediation

[Pablo Vidaurri]

2.17.0 is actually out now
On Thursday, December 16, 2021 at 2:27:13 PM UTC-6 Raph C wrote:

> Hi,
>
> You have to exclude log4j* from WEB-INF/lib form overlay plugin and add 
> correct version as dependency( use 2.16.0 instead, a new CVE appeared on 
> Tuesday)
> Regards,
>
> Le mar. 14 déc. 2021 à 17:02, apereo_cas_user  a 
> écrit :
>
>> We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
>> authentication.
>> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and 
>> bounced tomcat.
>> Is there a way we can exclude 2.12.1 from the build . [I can pull in 
>> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues 
>> when upgrading to 6.3.7.2 
>>
>> Thanks
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>>
> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d771419d-777f-4afc-b752-48b92620a13en%40apereo.org.

Re: [cas-user] log4j vulnerability remediation

[Raph C]

Hi,

You have to exclude log4j* from WEB-INF/lib form overlay plugin and add
correct version as dependency( use 2.16.0 instead, a new CVE appeared on
Tuesday)
Regards,

Le mar. 14 déc. 2021 à 17:02, apereo_cas_user  a
écrit :

> We use cas 6.1.7  overlay template [still in pre-prod] for delegated
> authentication.
> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and
> bounced tomcat.
> Is there a way we can exclude 2.12.1 from the build . [I can pull in
> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues
> when upgrading to 6.3.7.2
>
> Thanks
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJtMnTFH2iCfbQQMe31WtoJtCgatasTAw4TCZWBUx8tZLirSXg%40mail.gmail.com.

Re: [cas-user] log4j vulnerability remediation

[Joe Manavalan]

Thanks @ robertoschwald

That worked for me as well

build.gradle
---
dependencies {
compile "org.apache.logging.log4j:log4j-api:2.15.0"
compile "org.apache.logging.log4j:log4j-core:2.15.0"
compile "org.apache.logging.log4j:log4j-jcl:2.15.0"
compile "org.apache.logging.log4j:log4j-jul:2.15.0"
compile "org.apache.logging.log4j:log4j-web:2.15.0"
compile "org.apache.logging.log4j:log4j-slf4j18-impl:2.15.0"
}

bootWar {
entryCompression = ZipEntryCompression.STORED
overlays {
cas {
from "org.apereo.cas:cas-server-webapp${project.appServer}:${
casServerVersion}@war"
provided = false
excludes = ["WEB-INF/lib/log4j-*-2.12.1.jar"]
}
}
}

On Tuesday, December 14, 2021 at 10:41:32 AM UTC-6 robertoschwald wrote:

> We had the same problem and we did the following:
>
> 1. Overwrite BOM defined version in gradle.properties
>
> # BOM overwritten versions
> # CVE-2021-44228 critical fix in 2.15.0.
> # 2.16.0 further secures.
> # See https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
> log4j2.version=2.16.0
>
> 2. add the dependencies to build.gradle
> We use a fairly old CAS Server, so we use these deps. Normally, you do not 
> have to state the ones which have no version, are taken with the version 
> you defined in log4j2.version variable, but we stated them explicitly, so 
> one knows what artifacts are affected.
>
> // Log4j2 critical security flaw fixed in 2.15.0
> compile "org.apache.logging.log4j:log4j-api"
> compile "org.apache.logging.log4j:log4j-core"
> compile "org.apache.logging.log4j:log4j-jcl:${project.'log4j2.version'}"
> compile "org.apache.logging.log4j:log4j-slf4j-impl"
> compile "org.apache.logging.log4j:log4j-web:${project.'log4j2.version’}"
>
> 3. Exclude the old dependencies from war-overlay
> This is an important step.
> As you get the dependencies from the original, overlayed war file, you 
> must exclude them in the war task, so only your versions are taken.
>
> war {
> ...
>   // exclusion list of all dependencies contained in the original cas-WAR 
> for which we use newer versions.
>   // You must exclude all of them, otherwise we get duplicate dependencies 
> in our cas.war !
>   // log4j2 insecure version remove. See above.
>   exclude "WEB-INF/lib/log4j-*-2.12.1.jar"
>   exclude "WEB-INF/lib/jul-to-slf4j-1.7.32.jar"
>   exclude "WEB-INF/lib/slf4j-api-1.7.32.jar"
> }
>
> Hope that helps.
>
>
>
> Am 14.12.2021 um 17:25 schrieb Jeffrey Ramsay :
>
> Same experience.
>
> On Tue, Dec 14, 2021 at 11:02 AM apereo_cas_user  
> wrote:
>
>> We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
>> authentication.
>> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and 
>> bounced tomcat.
>> Is there a way we can exclude 2.12.1 from the build . [I can pull in 
>> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues 
>> when upgrading to 6.3.7.2 
>>
>> Thanks
>>
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
>>  
>> 
>> .
>>
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
>
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com
>  
> 
> .
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 

Re: [cas-user] log4j vulnerability remediation

[Robert Oschwald]

We had the same problem and we did the following:

1. Overwrite BOM defined version in gradle.properties

# BOM overwritten versions
# CVE-2021-44228 critical fix in 2.15.0.
# 2.16.0 further secures.
# See https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
log4j2.version=2.16.0

2. add the dependencies to build.gradle
We use a fairly old CAS Server, so we use these deps. Normally, you do not have 
to state the ones which have no version, are taken with the version you defined 
in log4j2.version variable, but we stated them explicitly, so one knows what 
artifacts are affected.

// Log4j2 critical security flaw fixed in 2.15.0
compile "org.apache.logging.log4j:log4j-api"
compile "org.apache.logging.log4j:log4j-core"
compile "org.apache.logging.log4j:log4j-jcl:${project.'log4j2.version'}"
compile "org.apache.logging.log4j:log4j-slf4j-impl"
compile "org.apache.logging.log4j:log4j-web:${project.'log4j2.version’}"

3. Exclude the old dependencies from war-overlay
This is an important step.
As you get the dependencies from the original, overlayed war file, you must 
exclude them in the war task, so only your versions are taken.

war {
 ...
  // exclusion list of all dependencies contained in the original cas-WAR for 
which we use newer versions.
  // You must exclude all of them, otherwise we get duplicate dependencies in 
our cas.war !
  // log4j2 insecure version remove. See above.
  exclude "WEB-INF/lib/log4j-*-2.12.1.jar"
  exclude "WEB-INF/lib/jul-to-slf4j-1.7.32.jar"
  exclude "WEB-INF/lib/slf4j-api-1.7.32.jar"
}

Hope that helps.



> Am 14.12.2021 um 17:25 schrieb Jeffrey Ramsay :
> 
> Same experience.
> 
> On Tue, Dec 14, 2021 at 11:02 AM apereo_cas_user  > wrote:
> We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
> authentication.
> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and bounced 
> tomcat.
> Is there a way we can exclude 2.12.1 from the build . [I can pull in 2.15.0 
> by adding in build.gradle but conflict with 2.12.1].  We have issues when 
> upgrading to 6.3.7.2 
> 
> Thanks
> 
> 
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org 
> .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
>  
> .
> 
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org 
> .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com
>  
> .

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/A6D22B3F-1993-4D04-A604-59DE522768B6%40gmail.com.

Re: [cas-user] log4j vulnerability remediation

[Jeffrey Ramsay]

Same experience.

On Tue, Dec 14, 2021 at 11:02 AM apereo_cas_user 
wrote:

> We use cas 6.1.7  overlay template [still in pre-prod] for delegated
> authentication.
> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and
> bounced tomcat.
> Is there a way we can exclude 2.12.1 from the build . [I can pull in
> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues
> when upgrading to 6.3.7.2
>
> Thanks
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com.

[cas-user] log4j vulnerability remediation

[apereo_cas_user]

We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
authentication.
As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and 
bounced tomcat.
Is there a way we can exclude 2.12.1 from the build . [I can pull in 2.15.0 
by adding in build.gradle but conflict with 2.12.1].  We have issues when 
upgrading to 6.3.7.2 

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org.