Author Archives: Lewis Rosenthal

Apache Log4j vulnerability (CVE-2021-44228)

On Thursday, December 9, 2021, the Apache Log4j project disclosed a critical security vulnerability which may result in remote code execution on systems running Log4j. The exploit has been aptly named Log4Shell (CVE-2021-44228).

Log4j is a logging component which runs under Java on many different platforms, and is useful not only for Java applications, but for other programs, as well. It is commonly bundled with unrelated software, simply as a means of providing a standard logging engine.

Arca Noae has completed a scan of our internal systems and has determined that we are not affected by this vulnerability. Further, ArcaOS has never included any Log4j components, and is also unaffected. However, because the exploitable feature in Log4j has existed for some time, it is possible that Java and other applications may have been installed under ArcaOS which utilize Log4j, and these systems may be at risk.

The feature used for the Log4Shell exploit is in the JNDI (Java Naming and Directory Interface) lookup class which was added to Log4j several years ago during the 2.0 beta cycle. Log4j versions through 2.3 required only Java versions up to 1.6, and so may be utilized by some OS/2-compatible applications.

Risk assessment

To determine whether any of your OS/2 systems may be at risk, start by searching all accessible volumes for log4j-*.jar. If any are found, determine the version of Log4j by examining the content of META-INF/MANIFEST.MF in the core jar file:

[c:\] unzip -c log4j-core.jar META-INF/MANIFEST.MF | less

Note the Implementation-Version line content.

Edge servers as well as firewalled systems running various applications may be at risk, as queries may be submitted to the Log4j engine from other applications and potentially from outside the network.

Mitigation

Although the exploit has been addressed in Log4j 2.16.0, because versions above 2.3 are not currently compatible with OS/2’s available Java Runtime Engine, it is necessary to mitigate the condition by removing the JndiLookup class from the classpath, e.g.:

[c:\] zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Additional information

Older (pre-2.0-beta9) versions of Log4j lack this lookup class, and do not appear to be at risk for Log4Shell (though some earlier security advisories may have been issued). Further research may be needed based upon the version(s) of Log4j which may be in use on these earlier systems. Also, this is not the only security advisory for Log4j 2.0-beta9 – 2.3. This notification is only related to CVE-2021-44228.

Links

https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nakedsecurity.sophos.com/2021/12/10/log4shell-java-vulnerability-how-to-safeguard-your-servers/
https://www.kb.cert.org/vuls/id/930724

ArcaOS

ArcaOS 5.0.7 now available

In our continuing commitment to ArcaOS 5.0 (Blue Lion), Arca Noae is pleased to announce the general availability of ArcaOS 5.0.7, the seventh maintenance release of the 5.0 line.

ArcaOS 5.0.7 includes refreshed driver content, updated kernel and included software, as well as installation boot fixes since 5.0.6 was released in 2020. If you have experienced difficulty installing previous releases of ArcaOS on your hardware, 5.0.7 may address your issue(s). If installing from USB stick, the image may be created using any major operating system at hand (Windows, Linux, MacOS, and of course, OS/2, eComStation, and ArcaOS). Once built, the USB stick can be inserted into any USB port in the target system to boot into the ArcaOS installer/updater.

For a complete list of updates in this release, see the ArcaOS wiki. Be sure to review the README.TXT, as well, as this contains critical information to ensure that you get up and running fast, and includes tips for getting things adjusted right away.

This update is included with your valid ArcaOS 5.0 Support & Maintenance subscription at no additional charge. To download your fresh ISO, simply visit your customer portal page, select the Orders & Subscriptions link on the navigation panel to the left, then click on the order for your ArcaOS 5.0 license. Once there, click the download link to request a fresh ISO, and wait for your notification email.

If your ArcaOS 5.0 Support & Maintenance subscription has already expired, and you missed your window of opportunity to renew at regular rates, you may still renew at less than the cost of a new ArcaOS license.

FAT32 Driver Package version 5.0.4 refreshed

We have identified a minor packaging issue with the FAT32 5.0.4 release which may impact systems using non-English language settings (%LANG% variable). The issue prevents the FAT32 message file from being installed with the driver, and removes any existing FAT32 message file. The refreshed package resolves this condition.

If you downloaded the 5.0.4 package prior to this announcement and your CONFIG.SYS includes a SET LANG statement which is something other than en_US, you should re-download the FAT32 installer from your subscription downloads page.

There are no binary differences between the content of this refreshed package and the original 5.0.4 release, and systems which are configured for LANG=en_US are entirely unaffected (no need for a re-install).

Please read the FAT32 wiki and the ReadMe for additional details and before installing this software.

The FAT32 Installable File System Driver Package is open source, licensed under the GNU LGPLv2.1, with source code publicly available (see the FAT32 wiki for details).

This is not the same driver as distributed by Netlabs, and cannot coexist with components of the Netlabs FAT32 driver. Please uninstall the Netlabs driver first if you wish to install the Arca Noae FAT32 driver.

If you have ArcaOS, this driver package is available for download from the Arca Noae website as part of the Support & Maintenance subscription for your ArcaOS product. Please log into your account and see your ArcaOS order details page to access your software.

If you have an Arca Noae OS/2 & eCS Drivers and Software Subscription, this driver package is available for download from the Arca Noae website as part of your Arca Noae OS/2 & eCS Drivers and Software Subscription. Please log into your account in order to access your software.

If you are still running OS/2 and/or eComStation systems and haven’t yet purchased a software subscription, this is a great reason to do so now. It may also be a good time to consider moving up to ArcaOS.

FAT32 Driver Package version 5.0.4 released

Arca Noae is pleased to announce the immediate availability of our fork of the FAT32 Installable File System Driver Package for OS/2 version 5.0.4. Arca Noae wishes to thank Gregg Young for his work on this update.

Highlights of this release include:

  • Fixed version string buffer overflow
  • CHKDSK now fixes bad media descriptors (a minor filesystem error)
  • Added /exclude command line switch to IFS to turn off lazy write on a per-disk basis
  • Fixed /Q so it actually is quiet
  • Fixed write failure when cache isn’t enabled
  • Fixed FAT32’s propensity to claim it can handle FAT12/16 volumes

Please read the FAT32 wiki and the ReadMe for additional details and before installing this software.

The FAT32 Installable File System Driver Package is open source, licensed under the GNU LGPLv2.1, with source code publicly available (see the FAT32 wiki for details).

This is not the same driver as distributed by Netlabs, and cannot coexist with components of the Netlabs FAT32 driver. Please uninstall the Netlabs driver first if you wish to install the Arca Noae FAT32 driver.

If you have ArcaOS, this driver package is available for download from the Arca Noae website as part of the Support & Maintenance subscription for your ArcaOS product. Please log into your account and see your ArcaOS order details page to access your software.

If you have an Arca Noae OS/2 & eCS Drivers and Software Subscription, this driver package is available for download from the Arca Noae website as part of your Arca Noae OS/2 & eCS Drivers and Software Subscription. Please log into your account in order to access your software.

If you are still running OS/2 and/or eComStation systems and haven’t yet purchased a software subscription, this is a great reason to do so now. It may also be a good time to consider moving up to ArcaOS.

Arca Noae Package Manager version 1.0.7 has been released

Arca Noae is pleased to announce the immediate availability of an updated Arca Noae Package Manager for ArcaOS, OS/2, and eComStation. (1.0.7)

This is update includes several minor fixes and a few critical enhancements:

  • Clear repo filter when selecting Installed RPM view.
  • Add 30s timeout to all curl commands.
  • Fix parsing of package name when it contains a period.
  • Ensure Python 2 is always used, now that Python 3 packages may be installed.
  • Initial commit of Russian translation.
  • Detect when CONFIG.SYS is modified.
  • Various UI fixes and tweaks.

Arca Noae Package Manager is available in English with Spanish, French, Italian, German, Dutch, Russian, and Swedish language packs. Some of these have been refreshed for this release.

ANPM 1.0.7 requires WarpIN 1.0.24 for installation. This WarpIN package is available from Hobbes.

This open source utility is available to everyone, free of charge.

Please review the wiki for important first-time installation and upgrade notes and other tips.

ArcaOS Desktop updated to 1.0.14

Dynamic Icons[Edit: Download links have been properly adjusted as of this writing, and should all be working. Apologies for any inconvenience.]

Arca Noae is pleased to announce the immediate availability of ArcaOS Desktop (ANXWP) 1.0.14 in English, German, Dutch, Spanish, Italian, Japanese, and Russian. This is a maintenance release containing bug-fixes and updates that have accumulated over the last year. The primary improvements include:

XShutdown

  • Power-off options have been simplified. The ACPI/APM shutdown option has been removed since the system always uses ACPI if it is available.
  • The shutdown sound which failed to play in Lite versions has now been restored.
  • The XShutdown dialog has been updated to suppress the list of BIOS-bootable partitions when booted in UEFI mode. It should also do a better job of handling situations where the data it collects from AirBoot is corrupt.

Folder Refresh

This feature has been completely rewritten to ensure that every filesystem update is reflected in the display within 1.5 seconds. The rewrite also fixes a bug where the code might try to delete a file that had been deleted then recreated.

Russian NLS (NEW)

Initial Russian language support has been provided by Yurii Zamotailo.

In addition, included is a minor update to Arca Noae Removable Media Monitor which suppresses attachment notifications (and subsequent failure messages) when USB floppy drives and some USB optical drives are plugged in.

See the Version Information topic of the ArcaOS Desktop Users Guide and Reference located in the Help Center for more details about this release.

If you have ArcaOS, this software is available for download from the Arca Noae website as part of the Support & Maintenance subscription for your ArcaOS product. Please log into your account and see your ArcaOS order details page to access your software.

If you are still running OS/2 and/or eComStation this is a great reason to consider moving up to ArcaOS. This update includes reserved features licensed for use exclusively with ArcaOS.

 

DFSee 16

DFSee version 16.9 released

DFSee version 16.9 has been released, which is a MINOR release with some bugfixes. Because this is a MINOR release, you get it for FREE if you already have a 16.x key.

Of course, as usual, there are also smaller improvements and bug fixes.

DFSee is a very powerful disk-utility with disk partitioning, filesystem and disk analysis, file recovery/UNDELETE and smart imaging or cloning of partitions or complete disks.

It will require an upgrade if you currently have a registration for an older MAJOR version.

Direct download links from the DFSee website:

https://www.dfsee.com/dfsee/dfsee_install.zip
https://www.dfsee.com/dfsee/dfsee_windows.msi
https://www.dfsee.com/dfsee/dfsee_os2_wpi.exe

Self-booting options:

https://www.dfsee.com/dfsee/dfsee16x_dsk.zip
https://www.dfsee.com/dfsee/dfsee16x_iso.zip
https://www.dfsee.com/dfsee/dfsee16x_stick_iso.zip

Or from the HOBBES website:

http://hobbes.nmsu.edu/pub/incoming/dfsee169.zip
or (after processing):
https://hobbes.nmsu.edu/?dir=%2F&stype=all&sort=type_name&search=dfsee

Functional changes since 16.8

  • RECOVER ExFAT new warning hint when ASSUMING files are contiguous
  • PART Fixed possible crash (string overflow) in certain displays
  • D or DOWN: Correctly go to FS-entry sector, even if bootsec empty
  • EXPORT/IMPORT sector list, fixed displayed the filename used
  • RECOVER, SAVETO and BROWSE streamlined WARNING/ERROR reporting
  • RECOVER, SAVETO and BROWSE recovery, always set file timestamps
  • CMD_WARNING on FileSaveAs alloc fail, is OK, so set timestamps!

Adding Let’s Encrypt’s new root and intermediate certificates to Mozilla applications

On September 30, 2021, Let’s Encrypt’s DST Root CA X3 cross-sign expired, leaving many web browsers to report that sites using Let’s Encrypt SSL certificates were “untrusted” or “unknown.”

Let’s Encrypt did, in fact, implement a new root and intermediate certificates some time ago, but after the built-in certificate stores in the Mozilla applications shipped with all versions of ArcaOS 5.0 to date (5.0 through 5.0.6) were configured. Thus, these new certificates were not included in those builds, and as a result, the new root certificate is indeed unknown.

The fix is relatively simple, and a rather common procedure for all browsers and email clients. To bring your Firefox, Thunderbird, and SeaMonkey certificate stores up to date, and learn how to do this for other new certificates as they become available, we’ve added a new wiki page, here.

Edited to add links to further information (off-site):

Let’s Encrypt – Chain of Trust
Let’s Encrypt – DST Root CA X3 Expiration (September 2021)

Warpstock 2021 Online

Tune in to Warpstock 2021 Online

Warpstock 2021 will happen online at 12:00pm EDT (16:00 UTC) this  Saturday, September 18.

Sessions will be a mix of live and prerecorded presentations, in 45-50-minute slots, scheduled to start on the hour.

David Azarewicz, Lewis Rosenthal, and Alex Taylor will be among those presenting this year on a variety of topics of interest concerning ArcaOS 5.0 and 5.1, device drivers, UEFI, GPT, and more.

Questions may be posed via YouTube Chat as well as IRC during the event.

The WarpEvents YouTube channel is the place to watch the event stream.

The URL for the #warpstock IRC channel is: ircs://irc.libera.chat:6697/warpstock (TLS encrypted),
or irc://irc.libera.chat/warpstock (plain text), or https://web.libera.chat/  (web interface, type #warpstock into Channel field).

The conference is entirely free this year, and no registration is necessary.