Monthly Archives: December 2021

Apache Log4j vulnerability (CVE-2021-44228)

On Thursday, December 9, 2021, the Apache Log4j project disclosed a critical security vulnerability which may result in remote code execution on systems running Log4j. The exploit has been aptly named Log4Shell (CVE-2021-44228).

Log4j is a logging component which runs under Java on many different platforms, and is useful not only for Java applications, but for other programs, as well. It is commonly bundled with unrelated software, simply as a means of providing a standard logging engine.

Arca Noae has completed a scan of our internal systems and has determined that we are not affected by this vulnerability. Further, ArcaOS has never included any Log4j components, and is also unaffected. However, because the exploitable feature in Log4j has existed for some time, it is possible that Java and other applications may have been installed under ArcaOS which utilize Log4j, and these systems may be at risk.

The feature used for the Log4Shell exploit is in the JNDI (Java Naming and Directory Interface) lookup class which was added to Log4j several years ago during the 2.0 beta cycle. Log4j versions through 2.3 required only Java versions up to 1.6, and so may be utilized by some OS/2-compatible applications.

Risk assessment

To determine whether any of your OS/2 systems may be at risk, start by searching all accessible volumes for log4j-*.jar. If any are found, determine the version of Log4j by examining the content of META-INF/MANIFEST.MF in the core jar file:

[c:\] unzip -c log4j-core.jar META-INF/MANIFEST.MF | less

Note the Implementation-Version line content.

Edge servers as well as firewalled systems running various applications may be at risk, as queries may be submitted to the Log4j engine from other applications and potentially from outside the network.

Mitigation

Although the exploit has been addressed in Log4j 2.16.0, because versions above 2.3 are not currently compatible with OS/2’s available Java Runtime Engine, it is necessary to mitigate the condition by removing the JndiLookup class from the classpath, e.g.:

[c:\] zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Additional information

Older (pre-2.0-beta9) versions of Log4j lack this lookup class, and do not appear to be at risk for Log4Shell (though some earlier security advisories may have been issued). Further research may be needed based upon the version(s) of Log4j which may be in use on these earlier systems. Also, this is not the only security advisory for Log4j 2.0-beta9 – 2.3. This notification is only related to CVE-2021-44228.

Links

https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nakedsecurity.sophos.com/2021/12/10/log4shell-java-vulnerability-how-to-safeguard-your-servers/
https://www.kb.cert.org/vuls/id/930724

ArcaOS

ArcaOS 5.0.7 now available

In our continuing commitment to ArcaOS 5.0 (Blue Lion), Arca Noae is pleased to announce the general availability of ArcaOS 5.0.7, the seventh maintenance release of the 5.0 line.

ArcaOS 5.0.7 includes refreshed driver content, updated kernel and included software, as well as installation boot fixes since 5.0.6 was released in 2020. If you have experienced difficulty installing previous releases of ArcaOS on your hardware, 5.0.7 may address your issue(s). If installing from USB stick, the image may be created using any major operating system at hand (Windows, Linux, MacOS, and of course, OS/2, eComStation, and ArcaOS). Once built, the USB stick can be inserted into any USB port in the target system to boot into the ArcaOS installer/updater.

For a complete list of updates in this release, see the ArcaOS wiki. Be sure to review the README.TXT, as well, as this contains critical information to ensure that you get up and running fast, and includes tips for getting things adjusted right away.

This update is included with your valid ArcaOS 5.0 Support & Maintenance subscription at no additional charge. To download your fresh ISO, simply visit your customer portal page, select the Orders & Subscriptions link on the navigation panel to the left, then click on the order for your ArcaOS 5.0 license. Once there, click the download link to request a fresh ISO, and wait for your notification email.

If your ArcaOS 5.0 Support & Maintenance subscription has already expired, and you missed your window of opportunity to renew at regular rates, you may still renew at less than the cost of a new ArcaOS license.