log4j2 vulnerability
216 views
Skip to first unread message
Manuel Cones
Dec 10, 2021, 1:37:41 PM12/10/21
to CAS Community
Hello, due the recent discovered log4j2 vulnerability, whats the way to mitigate it?
should i add log4j2.formatMsgNoLookups=true to the cas.properties file?
Thanks in Advance,
Manuel.
Manuel.
Anders Collstrup
Dec 11, 2021, 7:44:26 AM12/11/21
to cas-...@apereo.org
My fix was the following:
CAS 6.1 running on debian 10. All except CAS installed from standard repo's
CAS 6.1 running on debian 10. All except CAS installed from standard repo's
created this file:
/usr/share/tomcat9/bin/setenv.sh
containing::
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"
After restart of tomcat I could see the following in the log:
10-Dec-2021 18:49:18.681 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dlog4j2.formatMsgNoLookups=True
/usr/share/tomcat9/bin/setenv.sh
containing::
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"
After restart of tomcat I could see the following in the log:
10-Dec-2021 18:49:18.681 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dlog4j2.formatMsgNoLookups=True
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae1c7b48-1c3e-4c3c-b762-f5a8e5794df9n%40apereo.org.
Robert Oschwald
Dec 11, 2021, 10:24:54 AM12/11/21
to cas-...@apereo.org
Jdk 1.8 192 or newer or jdk11 11.0.2 or newer are not affected it seems, as JNDI lookups are disabled there by default.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BMOL%2B%3DpjJ2JgE%2BOL7X4RibLSjWe8KQAKt13Q1npJj_g21VoCA%40mail.gmail.com.
Richard Frovarp
Dec 12, 2021, 12:10:20 PM12/12/21
to cas-...@apereo.org
Newer version of the JDK are still affected. The newer JDK versions stop JNDI from running remote code, it doesn't stop JNDI lookup. An attacker can still exfil data through the DNS lookup. Also, there are other paths to exploit with this attack. It was first
found via JNDI LDAP to execute remote code. There is now a known path using classes present in Apache Tomcat. There will be more that are found. Update Log4j or put the environment variable in.
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Robert Oschwald <roberto...@gmail.com>
Sent: Saturday, December 11, 2021 09:24
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] log4j2 vulnerability
Sent: Saturday, December 11, 2021 09:24
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] log4j2 vulnerability
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/D71FB144-5859-4D97-97B8-F363CBBE8256%40gmail.com.
Robert Oschwald
Dec 12, 2021, 12:18:55 PM12/12/21
to cas-...@apereo.org
Thanks for clarification.
Sent while mobile
Von: 'Richard Frovarp' via CAS Community <cas-...@apereo.org>
Gesendet: Sunday, December 12, 2021 6:10:15 PM
An: cas-...@apereo.org <cas-...@apereo.org>
Betreff: Re: [cas-user] log4j2 vulnerability
Gesendet: Sunday, December 12, 2021 6:10:15 PM
An: cas-...@apereo.org <cas-...@apereo.org>
Betreff: Re: [cas-user] log4j2 vulnerability
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/DM5PR08MB2778F3CA314A919997DCE15F8B739%40DM5PR08MB2778.namprd08.prod.outlook.com.
Reply all
Reply to author
Forward
0 new messages