Has anyone attempted to mitigate this CVE yet?
There seems to be two possible approaches to mitigation:
1 The sledgehammer approach of removing the JndiLookup.class from the jar files:
zip –q –d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
2. Rebuild CAS and set “log4jVersion=2.15.0”
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/afcce42d-1ecd-1bd8-6598-ecba78b6e987%40ndsu.edu.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHUe7%2BfgzA2uQ2eWFe9O-a%3D9sOP4LBi9FviTvsEMYHtKsA%40mail.gmail.com.
Just rolled out this mitigation to our servers, seems to be effective for CAS 6.3.x builds.
Our environment for reference:
- Standalone Tomcat
- CAS and CAS-Management as deployed jars
- CAS and CAS-Mangement built from cas-overlay and cas-management-overlay repos.
Mitigated by adding “-Dlog4j2.FormatMsgNoLookups=true” into the Tomcat startup in systemd tomcat.service file.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/67916862-8f31-e08c-1949-86a97958ba36%40ndsu.edu.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b01416e5aefd4cb6aba835240836244d%40mun.ca.