Release 4.3.2 -- was:[ANN] Apache Jena 4.3.1

[Andy Seaborne <an...@apache.org>]

Hi Andrew,

Thank you for letting us know.

Rob spotted that the log4j project security page has been updated:

https://logging.apache.org/log4j/2.x/security.html

revising it to critical 9/10

We've already started a vote on Jena 4.3.2 with log4j 2.16.0.

   https://lists.apache.org/thread/tj0mo24g8jvfr02964nww96ckfvxnhjm

(we are not bypassing the need to have the proper votes for a release)

Very few changes in 4.3.2 but - bonus prize! - JENA-2215 (make sure 
logging is in the war file) is included.

     Andy

On 17/12/2021 21:33, Andrii Berezovskyi wrote:
> Hello Andy,
> 
> I hate to be the bearer of bad news, but in a recent discussion on Lobsters [1] it was brought to my attention that there apparently exists a bypass [2] of the fix in 2.15.0 that brings back the RCE. To be clear, the new exploit no longer requires fiddling with the Thread Context Map settings. The CVE page [3] now says "This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.", which means that the original score 3.7/10 no longer applies to the new CVE.
> 
> Harri, the WAR file of the 4.3.1 was missing log4j JARs and I had success simply placing 2.16.0 JARs myself. You should be able to use that as a temporary mitigation until the new version comes out.
> 
> /Andrew
> 
> [1]: https://lobste.rs/s/ccc9tu/patch_fixing_critical_log4j_0_day_has_its#c_c2syst
> [2]: https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/#update-the-localhost-bypass-was-discovered
> [3]: https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Re: Release 4.3.2 -- was:[ANN] Apache Jena 4.3.1

[Andy Seaborne <an...@apache.org>]

Part 3.

https://logging.apache.org/log4j/2.x/security.html
https://nvd.nist.gov/vuln/detail/CVE-2021-45105

Fuseki does not have a pattern with with a context Lookup (for example, 
$${ctx:loginId}) or indeed any ${} lookup.

Fuseki:
   [%d{yyyy-MM-dd HH:mm:ss}] %-10c{1} %-5p %m%n

Command line tools
   %d{HH:mm:ss} %-5p %-15c{1} :: %m%n"

     Andy



Don't be surprised if there are more.

When Jackson JSON data binding was found to have vulnerabilities a few 
years ago, there were a number of CVEs as it got a lot of attention.

Also expect nearby projects to get attention.  Logback has registered a 
CVE (it's a remote code JNDI attack) but not from outside text. They 
have removed the "we're not affected text" from the home page.


On 18/12/2021 00:04, Andy Seaborne wrote:
> Hi Andrew,
> 
> Thank you for letting us know.
> 
> Rob spotted that the log4j project security page has been updated:
> 
> https://logging.apache.org/log4j/2.x/security.html
> 
> revising it to critical 9/10
> 
> We've already started a vote on Jena 4.3.2 with log4j 2.16.0.
> 
>    https://lists.apache.org/thread/tj0mo24g8jvfr02964nww96ckfvxnhjm
> 
> (we are not bypassing the need to have the proper votes for a release)
> 
> Very few changes in 4.3.2 but - bonus prize! - JENA-2215 (make sure 
> logging is in the war file) is included.
> 
>      Andy
> 
> On 17/12/2021 21:33, Andrii Berezovskyi wrote:
>> Hello Andy,
>>
>> I hate to be the bearer of bad news, but in a recent discussion on 
>> Lobsters [1] it was brought to my attention that there apparently 
>> exists a bypass [2] of the fix in 2.15.0 that brings back the RCE. To 
>> be clear, the new exploit no longer requires fiddling with the Thread 
>> Context Map settings. The CVE page [3] now says "This vulnerability 
>> has been modified since it was last analyzed by the NVD. It is 
>> awaiting reanalysis which may result in further changes to the 
>> information provided.", which means that the original score 3.7/10 no 
>> longer applies to the new CVE.
>>
>> Harri, the WAR file of the 4.3.1 was missing log4j JARs and I had 
>> success simply placing 2.16.0 JARs myself. You should be able to use 
>> that as a temporary mitigation until the new version comes out.
>>
>> /Andrew
>>
>> [1]: 
>> https://lobste.rs/s/ccc9tu/patch_fixing_critical_log4j_0_day_has_its#c_c2syst 
>>
>> [2]: 
>> https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/#update-the-localhost-bypass-was-discovered 
>>
>> [3]: https://nvd.nist.gov/vuln/detail/CVE-2021-45046
>