How to fix CVE-2022-22965 in CAS6.1.x

[Bert Bee-Lindgren]

[We're working on upgrading from (heavily backported-patched) CAS 6.1 to something supported by the OS project. In the meantime....]

We know our CAS 6.1 system is using SpringFramework 5.2.0 but is not directly vulnerable to the CVE-2022-22965 (not deployed as a .war in Tomcat). Nevertheless, we would like to start testing a SpringFramework upgrade to avoid future ways of reaching the vulnerability.

The normal way would be to change our SpringBoot dependency, but CAS6.1 uses SB2.2.4 and moving it to SB2.5.12 seems like a BIG jump. The SpringFramework upgrade from 5.2.0 to 5.2.20 seems preferable given it stays within the 5.2 release.

To try to accomplish a SpringFramework upgrade, we've tried "springVersion=5.2.20" in gradle.properties, but the resulting project still seemed to be using 5.2.0. 

Does anyone have advice on how to proceed?

-Upgrade SpringBoot from 2.2.4 to 2.5.12  (easy to do, worried it isn't likely to work)

-Upgrade SpringFramework from 5.2.0 --> 5.2.20 (we don't know how to do this)

-Something else?

Thank you,

  Bert Bee-Lindgren

[randomuser878]

You could try
gradle.properties
log4j2.version=2.17.1
spring.version=5.2.20.RELEASE
spring.securitycas.version=5.2.15.RELEASE

build.gradle
def log4JVersion = project.'log4j2.version'
def springVersion = project.'spring.version'
def springSecurityCasVersion = project.'spring.securitycas.version'

dependencies {
....
    // Override the log4J vulnerability, back-port
    compile "org.apache.logging.log4j:log4j-api:${log4JVersion}"
    compile "org.apache.logging.log4j:log4j-core:${log4JVersion}"
    compile "org.apache.logging.log4j:log4j-jcl:${log4JVersion}"
    compile "org.apache.logging.log4j:log4j-jul:${log4JVersion}"
    compile "org.apache.logging.log4j:log4j-slf4j-impl:${log4JVersion}"
    compile "org.apache.logging.log4j:log4j-web:${log4JVersion}"

   compile "org.springframework:spring-aop:${springVersion}"
    compile "org.springframework:spring-beans:${springVersion}"
    compile "org.springframework:spring-context:${springVersion}"
    compile "org.springframework:spring-context-support:${springVersion}"
    compile "org.springframework:spring-core:${springVersion}"
    compile "org.springframework:spring-expression:${springVersion}"
    compile "org.springframework:spring-jcl:${springVersion}"
    compile "org.springframework:spring-jdbc:${springVersion}"
    compile "org.springframework:spring-jms:${springVersion}"
    compile "org.springframework:spring-messaging:${springVersion}"
    compile "org.springframework:spring-orm:${springVersion}"
    compile "org.springframework:spring-oxm:${springVersion}"

    compile "org.springframework.security:spring-security-cas:${springSecurityCasVersion}"
    compile "org.springframework.security:spring-security-config:${springSecurityCasVersion}"
    compile "org.springframework.security:spring-security-core:${springSecurityCasVersion}"
    compile "org.springframework.security:spring-security-crypto:${springSecurityCasVersion}"
    compile "org.springframework.security:spring-security-web:${springSecurityCasVersion}"
    compile "org.springframework:spring-tx:${springVersion}"
    compile "org.springframework:spring-web:${springVersion}"
    compile "org.springframework:spring-webmvc:${springVersion}"

.....

bootWar {
    entryCompression = ZipEntryCompression.STORED
    overlays {
        cas {
            from "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war"
            provided = false
            excludes = ["WEB-INF/lib/log4j-*-2.12.1.jar", "WEB-INF/lib/spring-*-5.2.0.RELEASE.jar"]
        }
    }
}


And heavy unit test...
Good luck

[Bert Bee-Lindgren]

Thank you (!) for such a detailed response. We're (heavily) testing the resulting overlay and will update the list here with the end result.

Best,

  Bert