Overview
A new zero-day exploit has been reported against the Log4J2 library which can allow an attacker to remotely execute code. The vulnerability has been reported with CVE-2021-44228 against the log4j-core jar. This has been fixed in Log4J v2.17.0. While updating third-party libraries for patch releases is generally not the project policy, an exception is warranted in this case given the nature of this vulnerability.
CAS security releases are now made available to ensure the Log4J library is upgraded to a more secure version.
For additional details on how security issues, patches and announcements are handled, please read the Apereo CAS project vulnerability disclosure process.
Affected Deployments
The security issue described here, per the CAS maintenance policy, affects the Apereo CAS server for the following versions:
- 6.3.x
- 6.4.x
If your CAS version is not listed above and is still part of an active maintenance cycle per the CAS maintenance policy, you might need to take manual action to ensure the Log4J library is upgraded to a more recent acceptable version. Examine the Log4J library version found in your CAS build to determine its vulnerability status, and then substitute as necessary.
Severity
See CVE-2021-44228. Also see this post.
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default.
Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.
Then, per CVE-2021-45105,
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.
Timeline
The issue was originally reported on December 9th, 2021 and CAS releases were patched on October 10th-11th, 2021 and released. The original patch releases for this issue upgraded relevant CAS versions to Log4J 2.15.0. In light of this post, additional patch releases were published on December 15th 2021 to upgrade Log4J to 2.16.0. Then, following this announcement, additional patch releases were published to upgrade Log4J to 2.17.0 on December 17th, 2021.
Patching
Patch releases are available to address CAS deployments. Upgrades to the next patch version for each release should be a drop-in replacement.
Procedure
Patch releases below upgrade the affected Log4J dependency to
2.17.0. If you do not wish to upgrade, the safest thing to do is to upgrade Log4J to a safe version, or remove the JndiLookup class from the log4j-core JAR file. Other mitigation measures are insufficient.
6.3.x
Modify your CAS overlay to point to the version 6.3.7.4.
6.4.x
Modify your CAS overlay to point to the version 6.4.4.2.
Support
Apereo CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation, supported by community volunteers and enthusiasts. Support options may be found here.
If you or your institution is a member of the Apereo foundation with an active subscription supporting the CAS project, please contact the CAS subs working group to learn more about this security vulnerability report.
Resources
On behalf of the CAS Application Security working group,