You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jena.apache.org by Andy Seaborne <an...@apache.org> on 2021/12/18 00:04:18 UTC
Release 4.3.2 -- was:[ANN] Apache Jena 4.3.1
Hi Andrew,
Thank you for letting us know.
Rob spotted that the log4j project security page has been updated:
https://logging.apache.org/log4j/2.x/security.html
revising it to critical 9/10
We've already started a vote on Jena 4.3.2 with log4j 2.16.0.
https://lists.apache.org/thread/tj0mo24g8jvfr02964nww96ckfvxnhjm
(we are not bypassing the need to have the proper votes for a release)
Very few changes in 4.3.2 but - bonus prize! - JENA-2215 (make sure
logging is in the war file) is included.
Andy
On 17/12/2021 21:33, Andrii Berezovskyi wrote:
> Hello Andy,
>
> I hate to be the bearer of bad news, but in a recent discussion on Lobsters [1] it was brought to my attention that there apparently exists a bypass [2] of the fix in 2.15.0 that brings back the RCE. To be clear, the new exploit no longer requires fiddling with the Thread Context Map settings. The CVE page [3] now says "This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.", which means that the original score 3.7/10 no longer applies to the new CVE.
>
> Harri, the WAR file of the 4.3.1 was missing log4j JARs and I had success simply placing 2.16.0 JARs myself. You should be able to use that as a temporary mitigation until the new version comes out.
>
> /Andrew
>
> [1]: https://lobste.rs/s/ccc9tu/patch_fixing_critical_log4j_0_day_has_its#c_c2syst
> [2]: https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/#update-the-localhost-bypass-was-discovered
> [3]: https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Re: Release 4.3.2 -- was:[ANN] Apache Jena 4.3.1
Posted by Andy Seaborne <an...@apache.org>.
Part 3.
https://logging.apache.org/log4j/2.x/security.html
https://nvd.nist.gov/vuln/detail/CVE-2021-45105
Fuseki does not have a pattern with with a context Lookup (for example,
$${ctx:loginId}) or indeed any ${} lookup.
Fuseki:
[%d{yyyy-MM-dd HH:mm:ss}] %-10c{1} %-5p %m%n
Command line tools
%d{HH:mm:ss} %-5p %-15c{1} :: %m%n"
Andy
Don't be surprised if there are more.
When Jackson JSON data binding was found to have vulnerabilities a few
years ago, there were a number of CVEs as it got a lot of attention.
Also expect nearby projects to get attention. Logback has registered a
CVE (it's a remote code JNDI attack) but not from outside text. They
have removed the "we're not affected text" from the home page.
On 18/12/2021 00:04, Andy Seaborne wrote:
> Hi Andrew,
>
> Thank you for letting us know.
>
> Rob spotted that the log4j project security page has been updated:
>
> https://logging.apache.org/log4j/2.x/security.html
>
> revising it to critical 9/10
>
> We've already started a vote on Jena 4.3.2 with log4j 2.16.0.
>
> https://lists.apache.org/thread/tj0mo24g8jvfr02964nww96ckfvxnhjm
>
> (we are not bypassing the need to have the proper votes for a release)
>
> Very few changes in 4.3.2 but - bonus prize! - JENA-2215 (make sure
> logging is in the war file) is included.
>
> Andy
>
> On 17/12/2021 21:33, Andrii Berezovskyi wrote:
>> Hello Andy,
>>
>> I hate to be the bearer of bad news, but in a recent discussion on
>> Lobsters [1] it was brought to my attention that there apparently
>> exists a bypass [2] of the fix in 2.15.0 that brings back the RCE. To
>> be clear, the new exploit no longer requires fiddling with the Thread
>> Context Map settings. The CVE page [3] now says "This vulnerability
>> has been modified since it was last analyzed by the NVD. It is
>> awaiting reanalysis which may result in further changes to the
>> information provided.", which means that the original score 3.7/10 no
>> longer applies to the new CVE.
>>
>> Harri, the WAR file of the 4.3.1 was missing log4j JARs and I had
>> success simply placing 2.16.0 JARs myself. You should be able to use
>> that as a temporary mitigation until the new version comes out.
>>
>> /Andrew
>>
>> [1]:
>> https://lobste.rs/s/ccc9tu/patch_fixing_critical_log4j_0_day_has_its#c_c2syst
>>
>> [2]:
>> https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/#update-the-localhost-bypass-was-discovered
>>
>> [3]: https://nvd.nist.gov/vuln/detail/CVE-2021-45046
>