[lyo-dev] Fwd: [ANN] Apache Jena 4.3.1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[lyo-dev] Fwd: [ANN] Apache Jena 4.3.1

From: Andrii Berezovskyi <andriib@xxxxxx>
Date: Fri, 17 Dec 2021 21:46:00 +0000
Accept-language: en-GB, en-US, sv-SE
Delivered-to: lyo-dev@xxxxxxxxxxx
Dkim-filter: OpenDKIM Filter v2.11.0 smtp-relay-3.sys.kth.se 4JG2bv08MKzPRxP
List-archive: <https://www.eclipse.org/mailman/private/lyo-dev/>
List-help: <mailto:lyo-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/lyo-dev>, <mailto:lyo-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/lyo-dev>, <mailto:lyo-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHX8Ec//MLLU18IxEqH/LRVvPkblA==
Thread-topic: [ANN] Apache Jena 4.3.1

FYI, the "fixed" log4j 2.15.0 version itself has a CVE with a score of 9.0/10 [1].

Eclipse Lyo does not use log4j, for the record.

/Andrew

[1]: https://logging.apache.org/log4j/2.x/security.html

Begin forwarded message:

From: Andrii Berezovskyi <andriib@xxxxxx>

Subject: Re: [ANN] Apache Jena 4.3.1

Date: W50 17 December 2021 at 22:33:57 CET

To: "users@xxxxxxxxxxxxxxx" <users@xxxxxxxxxxxxxxx>

Reply-To: <users@xxxxxxxxxxxxxxx>

Hello Andy,

I hate to be the bearer of bad news, but in a recent discussion on Lobsters [1] it was brought to my attention that there apparently exists a bypass [2] of the fix in 2.15.0 that brings back the RCE. To be clear, the new exploit no longer requires fiddling with the Thread Context Map settings. The CVE page [3] now says "This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.", which means that the original score 3.7/10 no longer applies to the new CVE.

Harri, the WAR file of the 4.3.1 was missing log4j JARs and I had success simply placing 2.16.0 JARs myself. You should be able to use that as a temporary mitigation until the new version comes out.

/Andrew

[1]: https://lobste.rs/s/ccc9tu/patch_fixing_critical_log4j_0_day_has_its#c_c2syst
[2]: https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/#update-the-localhost-bypass-was-discovered
[3]: https://nvd.nist.gov/vuln/detail/CVE-2021-45046
On 2021-12-15, 15:36, "Andy Seaborne" <andy@xxxxxxxxxx> wrote:

   On 15/12/2021 13:44, Harri Kiiskinen wrote:

Hi,

   See
   https://blogs.apache.org/security/

it is possible that our university IT service may yet choose to be
strict about this and require 2.16.0 from all services open to public,

   The PMC are all volunteers.

   This CVE hasn't been scored by NVD yet.
   This CVE requires local access to enable features.

   Many systems use log4j1 that has CVE-2019-17571 (in a component that
   isn't necessarily used). Log4j 1.x is EOL since 2015.

   When Jackson JSON has a serious flaws a few years ago, it was followed
   by a number of CVEs as people looked hard at it.

which would be bothersome four our projects in case Jena stays with
2.15.0. I guess similar situations might exist elsewhere; but perhaps
this is not a question of days, as it was with the previous CVE, since
this is not quite as severe.

   Fuseki uses log4j in default configuration.
   See the CVE details.

My point: I may need to be able to show Jena is using 2.16.0 to be able
to run our servers at some point.

   JENA-2214 - already done.

   The Apache Foundation produces source code.

   Security is one of the reasons for this.

   Binaries are a convenience.

   Take the Jena source release, change the log4j version in the top POM.
   Build.

        Andy

Prev by Date: Re: [lyo-dev] Proposal for removing oslc4j-registry and oslc4j-wink
Next by Date: [lyo-dev] Fwd: [ANNOUNCEMENT] Apache Log4j 2.17.0 Released
Previous by thread: [lyo-dev] JenaTdbStoreImpl removal in Lyo 5.0
Next by thread: [lyo-dev] Fwd: [ANNOUNCEMENT] Apache Log4j 2.17.0 Released
Index(es):
- Date
- Thread

Breadcrumbs