Thanks for clarification.
Sent while mobile
Von: 'Richard Frovarp' via CAS Community
Gesendet: Sunday, December 12, 2021 6:10:15 PM
An: cas-user@apereo.org
Betreff: Re: [cas-user] log4j2 vulnerability
Newer version of the JDK are still affected. The newer JDK
-user@apereo.org
Subject: Re: [cas-user] log4j2 vulnerability
Jdk 1.8 192 or newer or jdk11 11.0.2 or newer are not affected it seems, as
JNDI lookups are disabled there by default.
https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021
Jdk 1.8 192 or newer or jdk11 11.0.2 or newer are not affected it seems, as
JNDI lookups are disabled there by default.
https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228
Sent while mobile.
> Am 11.12.2021 um 13:44 schrieb
My fix was the following:
CAS 6.1 running on debian 10. All except CAS installed from standard repo's
created this file:
/usr/share/tomcat9/bin/setenv.sh
containing::
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"
After restart of tomcat I could see the following in the log:
10-Dec-2021
Hello, due the recent discovered log4j2 vulnerability, whats the way to
mitigate it?
should i add log4j2.formatMsgNoLookups=true to the cas.properties file?
Thanks in Advance,
Manuel.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List
