CAS Log4J Vulnerability Disclosure


Overview

A new zero-day exploit has been reported against the Log4J2 library which can allow an attacker to remotely execute code. The vulnerability has been reported with CVE-2021-44228 against the log4j-core jar. This has been fixed in Log4J v2.17.0. While updating third-party libraries for patch releases is generally not the project policy, an exception is warranted in this case given the nature of this vulnerability.

CAS security releases are now made available to ensure the Log4J library is upgraded to a more secure version.

For additional details on how security issues, patches and announcements are handled, please read the Apereo CAS project vulnerability disclosure process.

Affected Deployments

The security issue described here, per the CAS maintenance policy, affects the Apereo CAS server for the following versions:

- 6.3.x
- 6.4.x

If your CAS version is not listed above and is still part of an active maintenance cycle per the CAS maintenance policy, you might need to take manual action to ensure the Log4J library is upgraded to a more recent acceptable version. Examine the Log4J library version found in your CAS build to determine its vulnerability status, and then substitute as necessary.

Severity

See CVE-2021-44228. Also see this post.

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default.

Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.

Then, per CVE-2021-45105,

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

Timeline

The issue was originally reported on December 9th, 2021 and CAS releases were patched on October 10th-11th, 2021 and released. The original patch releases for this issue upgraded relevant CAS versions to Log4J 2.15.0. In light of this post, additional patch releases were published on December 15th 2021 to upgrade Log4J to 2.16.0. Then, following this announcement, additional patch releases were published to upgrade Log4J to 2.17.0 on December 17th, 2021.

Patching

Patch releases are available to address CAS deployments. Upgrades to the next patch version for each release should be a drop-in replacement.

Procedure

Note
Patch releases below upgrade the affected Log4J dependency to 2.17.0. If you do not wish to upgrade, the safest thing to do is to upgrade Log4J to a safe version, or remove the JndiLookup class from the log4j-core JAR file. Other mitigation measures are insufficient.

6.3.x

Modify your CAS overlay to point to the version 6.3.7.4.

6.4.x

Modify your CAS overlay to point to the version 6.4.4.2.

Support

Apereo CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation, supported by community volunteers and enthusiasts. Support options may be found here.

If you or your institution is a member of the Apereo foundation with an active subscription supporting the CAS project, please contact the CAS subs working group to learn more about this security vulnerability report.

Resources

On behalf of the CAS Application Security working group,

Misagh Moayyed

Related Posts

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

Publish Private CAS Releases

GitHub Actions workflows allow publishing to private repositories.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Multifactor Authentication with U2F and Bypass

A short walkthrough to demonstrate how one might turn on multifactor authentication with CAS using U2F and default bypass rule.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Release Notes Moved

CAS Release Notes are moved to the CAS site.

CAS 6.2.0 RC5 Feature Release

...in which I present an overview of CAS 6.2.0 RC5 release.