log4j vulnerability remediation
334 views
Skip to first unread message
apereo_cas_user
Dec 14, 2021, 11:02:48 AM12/14/21
to CAS Community
We use cas 6.1.7 overlay template [still in pre-prod] for delegated authentication.
As a temp solution we replaced log4j 2.12.1 with 2.15.0 manually and bounced tomcat.
Is there a way we can exclude 2.12.1 from the build . [I can pull in 2.15.0 by adding in build.gradle but conflict with 2.12.1]. We have issues when upgrading to 6.3.7.2
Thanks
Jeffrey Ramsay
Dec 14, 2021, 11:26:14 AM12/14/21
to CAS Community
Same experience.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org.
Robert Oschwald
Dec 14, 2021, 11:41:32 AM12/14/21
to cas-...@apereo.org
We had the same problem and we did the following:
# BOM overwritten versions
# CVE-2021-44228 critical fix in 2.15.0.
# 2.16.0 further secures.
# See https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
log4j2.version=2.16.0
// Log4j2 critical security flaw fixed in 2.15.0
compile "org.apache.logging.log4j:log4j-api"
compile "org.apache.logging.log4j:log4j-core"
compile "org.apache.logging.log4j:log4j-jcl:${project.'log4j2.version'}"
compile "org.apache.logging.log4j:log4j-slf4j-impl"
compile "org.apache.logging.log4j:log4j-web:${project.'log4j2.version’}"
// You must exclude all of them, otherwise we get duplicate dependencies in our cas.war !
// log4j2 insecure version remove. See above.
exclude "WEB-INF/lib/log4j-*-2.12.1.jar"
exclude "WEB-INF/lib/jul-to-slf4j-1.7.32.jar"
exclude "WEB-INF/lib/slf4j-api-1.7.32.jar"
1. Overwrite BOM defined version in gradle.properties
# BOM overwritten versions
# CVE-2021-44228 critical fix in 2.15.0.
# 2.16.0 further secures.
# See https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
log4j2.version=2.16.0
2. add the dependencies to build.gradle
We use a fairly old CAS Server, so we use these deps. Normally, you do not have to state the ones which have no version, are taken with the version you defined in log4j2.version variable, but we stated them explicitly, so one knows what artifacts are affected.
// Log4j2 critical security flaw fixed in 2.15.0
compile "org.apache.logging.log4j:log4j-api"
compile "org.apache.logging.log4j:log4j-core"
compile "org.apache.logging.log4j:log4j-jcl:${project.'log4j2.version'}"
compile "org.apache.logging.log4j:log4j-slf4j-impl"
compile "org.apache.logging.log4j:log4j-web:${project.'log4j2.version’}"
3. Exclude the old dependencies from war-overlay
This is an important step.
As you get the dependencies from the original, overlayed war file, you must exclude them in the war task, so only your versions are taken.
war {
...
// exclusion list of all dependencies contained in the original cas-WAR for which we use newer versions.// You must exclude all of them, otherwise we get duplicate dependencies in our cas.war !
// log4j2 insecure version remove. See above.
exclude "WEB-INF/lib/log4j-*-2.12.1.jar"
exclude "WEB-INF/lib/jul-to-slf4j-1.7.32.jar"
exclude "WEB-INF/lib/slf4j-api-1.7.32.jar"
}
Hope that helps.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOQ-AecysHAxD0FHEdBnTTHD3wNTa_d1xXcVVRmuC16A5g%40mail.gmail.com.
Joe Manavalan
Dec 14, 2021, 1:09:28 PM12/14/21
to CAS Community, robertoschwald
Thanks @ robertoschwald
That worked for me as well
build.gradle
-------------------
dependencies {
compile "org.apache.logging.log4j:log4j-api:2.15.0"
compile "org.apache.logging.log4j:log4j-core:2.15.0"
compile "org.apache.logging.log4j:log4j-jcl:2.15.0"
compile "org.apache.logging.log4j:log4j-jul:2.15.0"
compile "org.apache.logging.log4j:log4j-web:2.15.0"
compile "org.apache.logging.log4j:log4j-slf4j18-impl:2.15.0"
}
compile "org.apache.logging.log4j:log4j-api:2.15.0"
compile "org.apache.logging.log4j:log4j-core:2.15.0"
compile "org.apache.logging.log4j:log4j-jcl:2.15.0"
compile "org.apache.logging.log4j:log4j-jul:2.15.0"
compile "org.apache.logging.log4j:log4j-web:2.15.0"
compile "org.apache.logging.log4j:log4j-slf4j18-impl:2.15.0"
}
bootWar {
entryCompression = ZipEntryCompression.STORED
overlays {
cas {
from "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war"
provided = false
excludes = ["WEB-INF/lib/log4j-*-2.12.1.jar"]
}
}
}
entryCompression = ZipEntryCompression.STORED
overlays {
cas {
from "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war"
provided = false
excludes = ["WEB-INF/lib/log4j-*-2.12.1.jar"]
}
}
}
Pablo Vidaurri
Dec 14, 2021, 1:58:31 PM12/14/21
to CAS Community, apereo_cas_user
Note v2.16.0 is now out .... a patch for the patch
Jeffrey Ramsay
Dec 14, 2021, 10:43:34 PM12/14/21
to CAS Community, apereo_cas_user
Robert and Joe,
Your examples were really helpful. I was able to combine the steps and patch our systems.
Thanks,
-Jeff
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/379632b4-2e9b-40b1-824d-1eebbdee4f83n%40apereo.org.
Baba Ndiaye
Dec 15, 2021, 2:22:44 PM12/15/21
to CAS Community, apereo_cas_user
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOTzLyDsd-6wUFAJVjOYJkh5Jod95QTAkDH1zi5G8rY7AA%40mail.gmail.com.
Jeffrey Ramsay
Dec 15, 2021, 2:46:39 PM12/15/21
to CAS Community
I did this based on what was posted earlier in the thread to update 6.2.
-- add to build.gradle dependencies section
implementation "org.apache.logging.log4j:log4j-api:2.16.0"
implementation "org.apache.logging.log4j:log4j-core:2.16.0"
implementation "org.apache.logging.log4j:log4j-jcl:2.16.0"
implementation "org.apache.logging.log4j:log4j-jul:2.16.0"
implementation "org.apache.logging.log4j:log4j-web:2.16.0"
implementation "org.apache.logging.log4j:log4j-slf4j18-impl:2.16.0"
implementation "org.apache.logging.log4j:log4j-core:2.16.0"
implementation "org.apache.logging.log4j:log4j-jcl:2.16.0"
implementation "org.apache.logging.log4j:log4j-jul:2.16.0"
implementation "org.apache.logging.log4j:log4j-web:2.16.0"
implementation "org.apache.logging.log4j:log4j-slf4j18-impl:2.16.0"
-- add to the end of build.gradle
bootWar {
entryCompression = ZipEntryCompression.STORED
overlays {
cas {
from "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war"
provided = false
entryCompression = ZipEntryCompression.STORED
overlays {
cas {
from "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war"
provided = false
excludes = ["WEB-INF/lib/log4j*2.12.*.jar","WEB-INF/lib/log4j*2.13.*.jar"]
}
}
}
}
}
}
I would recommend you unpack the new war once it is built and update the excludes list as needed.
-Jeff
-Jeff
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFu1ZRtQxm252-6fc7zpj0k23Nd8WPXqf76AKXbNEhmrGuSN7w%40mail.gmail.com.
Baba Ndiaye
Dec 15, 2021, 3:24:31 PM12/15/21
to CAS Community, jeffrey...@gmail.com
Thank you Jeff
Baba Ndiaye
Dec 15, 2021, 5:33:57 PM12/15/21
to CAS Community, jeffrey...@gmail.com
Eventually i'm using JSON for service registry but i have this
unzip -l /var/lib/tomcat9/webapps/cas.war | grep log4j
35359 2021-12-15 21:05 WEB-INF/lib/log4j-web-2.16.0.jar
21248 2021-12-15 21:05 WEB-INF/lib/log4j-slf4j18-impl-2.16.0.jar
1789565 2021-12-15 21:05 WEB-INF/lib/log4j-core-2.16.0.jar
12847 2021-12-15 21:05 WEB-INF/lib/log4j-jcl-2.16.0.jar
30977 2021-12-15 21:05 WEB-INF/lib/log4j-jul-2.16.0.jar
301892 2021-12-15 21:05 WEB-INF/lib/log4j-api-2.16.0.jar
26461 2021-12-15 22:08 WEB-INF/lib/log4j-jul-2.14.1.jar
12694 2021-12-15 22:08 WEB-INF/lib/log4j-jcl-2.14.1.jar
20688 2021-12-15 22:08 WEB-INF/lib/log4j-slf4j18-impl-2.14.1.jar
300365 2021-12-15 22:08 WEB-INF/lib/log4j-api-2.14.1.jar
35337 2021-12-15 22:08 WEB-INF/lib/log4j-web-2.14.1.jar
4774 2021-12-15 22:08 WEB-INF/lib/spring-boot-starter-log4j2-2.5.4.jar
1745700 2021-12-15 22:08 WEB-INF/lib/log4j-core-2.14.1.jar
180352 2021-12-15 22:08 WEB-INF/lib/log4j-layout-template-json-2.14.1.jar
35359 2021-12-15 21:05 WEB-INF/lib/log4j-web-2.16.0.jar
21248 2021-12-15 21:05 WEB-INF/lib/log4j-slf4j18-impl-2.16.0.jar
1789565 2021-12-15 21:05 WEB-INF/lib/log4j-core-2.16.0.jar
12847 2021-12-15 21:05 WEB-INF/lib/log4j-jcl-2.16.0.jar
30977 2021-12-15 21:05 WEB-INF/lib/log4j-jul-2.16.0.jar
301892 2021-12-15 21:05 WEB-INF/lib/log4j-api-2.16.0.jar
26461 2021-12-15 22:08 WEB-INF/lib/log4j-jul-2.14.1.jar
12694 2021-12-15 22:08 WEB-INF/lib/log4j-jcl-2.14.1.jar
20688 2021-12-15 22:08 WEB-INF/lib/log4j-slf4j18-impl-2.14.1.jar
300365 2021-12-15 22:08 WEB-INF/lib/log4j-api-2.14.1.jar
35337 2021-12-15 22:08 WEB-INF/lib/log4j-web-2.14.1.jar
4774 2021-12-15 22:08 WEB-INF/lib/spring-boot-starter-log4j2-2.5.4.jar
1745700 2021-12-15 22:08 WEB-INF/lib/log4j-core-2.14.1.jar
180352 2021-12-15 22:08 WEB-INF/lib/log4j-layout-template-json-2.14.1.jar
WEB-INF/lib/log4j-core-2.14.1.jar and WEB-INF/lib/log4j-layout-template-json-2.14.1.jar are always log4j 2.14.1 any issue please
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fcad2878-75a4-4bf0-87b2-a11d2fb1a84cn%40apereo.org.
Lars Feistner
Dec 16, 2021, 11:18:08 AM12/16/21
to cas-...@apereo.org
Hi,
just in case anyone out there is still using the 5.3.x version and building the overlay with maven.
I have added these lines to the dependencies section:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>${log4j.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>${log4j.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jcl</artifactId>
<version>${log4j.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>${log4j.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-web</artifactId>
<version>${log4j.version}</version>
<scope>runtime</scope>
</dependency>
and these lines to the excludes section of the maven-war-plugin
<overlays>
<overlay>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp${app.server}</artifactId>
<excludes>
<exclude>WEB-INF/lib/log4j-api-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-core-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-jcl-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-slf4j-impl-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-web-2.12.1.jar</exclude>
</excludes>
</overlay>
</overlays>
Best regards,
Lars
just in case anyone out there is still using the 5.3.x version and building the overlay with maven.
I have added these lines to the dependencies section:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>${log4j.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>${log4j.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-jcl</artifactId>
<version>${log4j.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>${log4j.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-web</artifactId>
<version>${log4j.version}</version>
<scope>runtime</scope>
</dependency>
and these lines to the excludes section of the maven-war-plugin
<overlays>
<overlay>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp${app.server}</artifactId>
<excludes>
<exclude>WEB-INF/lib/log4j-api-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-core-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-jcl-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-slf4j-impl-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-web-2.12.1.jar</exclude>
</excludes>
</overlay>
</overlays>
Best regards,
Lars
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fcad2878-75a4-4bf0-87b2-a11d2fb1a84cn%40apereo.org.
--
 |
Lars Feistner Entwicklungsleitung Phone: +49 6221/186749-5 Mail: l.fei...@cares.institute |
 |
Institut für Kommunikations- und
Prüfungsforschung gGmbH Institute for Communication and Assessment Research Wieblinger Weg 92a 69123 Heidelberg, Germany Web: www.ucan-assess.org |
Jennifer LaVoie
Dec 16, 2021, 11:26:36 AM12/16/21
to cas-...@apereo.org
Thanks, Lars. Very helpful
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8c84c9c8-81d1-2c41-bdf2-a3d13566e7f1%40cares.institute.
"Confusion is a word we have invented for an order which is not understood." ~Henry Miller
Raph C
Dec 16, 2021, 3:27:13 PM12/16/21
to cas-...@apereo.org
Hi,
You have to exclude log4j* from WEB-INF/lib form overlay plugin and add correct version as dependency( use 2.16.0 instead, a new CVE appeared on Tuesday)
Regards,
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/affbd618-e1e6-427f-b333-e00ca54bf1aen%40apereo.org.
Pablo Vidaurri
Dec 20, 2021, 2:50:00 PM12/20/21
to CAS Community, Raph C
2.17.0 is actually out now
Andy Ng
Dec 31, 2021, 2:12:37 AM12/31/21
to CAS Community, Pablo Vidaurri, Raph C
And... 2.17.1 is out as well.
Baba Ndiaye
Dec 31, 2021, 9:09:41 AM12/31/21
to CAS Community, Pablo Vidaurri, Raph C
Yes new update for cas-overlay-template
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5fb5c6d4-0a05-4f00-a4a1-a1afa89cce21n%40apereo.org.
Reply all
Reply to author
Forward
0 new messages