[cas-user] Re: How to fix CVE-2022-22965 in CAS6.1.x

Mon, 11 Apr 2022 19:14:22 -0700 

Thank you (!) for such a detailed response. We're (heavily) testing the 
resulting overlay and will update the list here with the end result.

Best,
  Bert

On Friday, April 8, 2022 at 11:17:35 AM UTC-4 randomuser878 wrote:

> You could try
> gradle.properties
> log4j2.version=2.17.1
> spring.version=5.2.20.RELEASE
> spring.securitycas.version=5.2.15.RELEASE
>
> build.gradle
> def log4JVersion = project.'log4j2.version'
> def springVersion = project.'spring.version'
> def springSecurityCasVersion = project.'spring.securitycas.version'
>
> dependencies {
> ....
>     // Override the log4J vulnerability, back-port
>     compile "org.apache.logging.log4j:log4j-api:${log4JVersion}"
>     compile "org.apache.logging.log4j:log4j-core:${log4JVersion}"
>     compile "org.apache.logging.log4j:log4j-jcl:${log4JVersion}"
>     compile "org.apache.logging.log4j:log4j-jul:${log4JVersion}"
>     compile "org.apache.logging.log4j:log4j-slf4j-impl:${log4JVersion}"
>     compile "org.apache.logging.log4j:log4j-web:${log4JVersion}"
>
>    compile "org.springframework:spring-aop:${springVersion}"
>     compile "org.springframework:spring-beans:${springVersion}"
>     compile "org.springframework:spring-context:${springVersion}"
>     compile "org.springframework:spring-context-support:${springVersion}"
>     compile "org.springframework:spring-core:${springVersion}"
>     compile "org.springframework:spring-expression:${springVersion}"
>     compile "org.springframework:spring-jcl:${springVersion}"
>     compile "org.springframework:spring-jdbc:${springVersion}"
>     compile "org.springframework:spring-jms:${springVersion}"
>     compile "org.springframework:spring-messaging:${springVersion}"
>     compile "org.springframework:spring-orm:${springVersion}"
>     compile "org.springframework:spring-oxm:${springVersion}"
>
>     compile 
> "org.springframework.security:spring-security-cas:${springSecurityCasVersion}"
>     compile 
> "org.springframework.security:spring-security-config:${springSecurityCasVersion}"
>     compile 
> "org.springframework.security:spring-security-core:${springSecurityCasVersion}"
>     compile 
> "org.springframework.security:spring-security-crypto:${springSecurityCasVersion}"
>     compile 
> "org.springframework.security:spring-security-web:${springSecurityCasVersion}"
>     compile "org.springframework:spring-tx:${springVersion}"
>     compile "org.springframework:spring-web:${springVersion}"
>     compile "org.springframework:spring-webmvc:${springVersion}"
>
> .....
>
> bootWar {
>     entryCompression = ZipEntryCompression.STORED
>     overlays {
>         cas {
>             from 
> "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war"
>             provided = false
>             excludes = ["WEB-INF/lib/log4j-*-2.12.1.jar", 
> "WEB-INF/lib/spring-*-5.2.0.RELEASE.jar"]
>         }
>     }
> }
>
>
> And heavy unit test...
> Good luck
> On Wednesday, April 6, 2022 at 10:55:58 PM UTC-4 Bert Bee-Lindgren wrote:
>
>> [We're working on upgrading from (heavily backported-patched) CAS 6.1 to 
>> something supported by the OS project. In the meantime....]
>>
>> We know our CAS 6.1 system is using SpringFramework 5.2.0 but is not 
>> directly vulnerable to the CVE-2022-22965 (not deployed as a .war in 
>> Tomcat). Nevertheless, we would like to start testing a SpringFramework 
>> upgrade to avoid future ways of reaching the vulnerability.
>>
>> The normal way would be to change our SpringBoot dependency, but CAS6.1 
>> uses SB2.2.4 and moving it to SB2.5.12 seems like a BIG jump. The 
>> SpringFramework upgrade from 5.2.0 to 5.2.20 seems preferable given it 
>> stays within the 5.2 release.
>>
>> To try to accomplish a SpringFramework upgrade, we've tried 
>> "springVersion=5.2.20" in gradle.properties, but the resulting project 
>> still seemed to be using 5.2.0. 
>>
>> Does anyone have advice on how to proceed?
>> -Upgrade SpringBoot from 2.2.4 to 2.5.12  (easy to do, worried it isn't 
>> likely to work)
>> -Upgrade SpringFramework from 5.2.0 --> 5.2.20 (we don't know how to do 
>> this)
>> -Something else?
>>
>> Thank you,
>>   Bert Bee-Lindgren
>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/10654600-3868-4736-b64a-9c223012aae8n%40apereo.org.

Reply via email to