Tag Archives: company

Apache Log4j vulnerability (CVE-2021-44228)

On Thursday, December 9, 2021, the Apache Log4j project disclosed a critical security vulnerability which may result in remote code execution on systems running Log4j. The exploit has been aptly named Log4Shell (CVE-2021-44228).

Log4j is a logging component which runs under Java on many different platforms, and is useful not only for Java applications, but for other programs, as well. It is commonly bundled with unrelated software, simply as a means of providing a standard logging engine.

Arca Noae has completed a scan of our internal systems and has determined that we are not affected by this vulnerability. Further, ArcaOS has never included any Log4j components, and is also unaffected. However, because the exploitable feature in Log4j has existed for some time, it is possible that Java and other applications may have been installed under ArcaOS which utilize Log4j, and these systems may be at risk.

The feature used for the Log4Shell exploit is in the JNDI (Java Naming and Directory Interface) lookup class which was added to Log4j several years ago during the 2.0 beta cycle. Log4j versions through 2.3 required only Java versions up to 1.6, and so may be utilized by some OS/2-compatible applications.

Risk assessment

To determine whether any of your OS/2 systems may be at risk, start by searching all accessible volumes for log4j-*.jar. If any are found, determine the version of Log4j by examining the content of META-INF/MANIFEST.MF in the core jar file:

[c:\] unzip -c log4j-core.jar META-INF/MANIFEST.MF | less

Note the Implementation-Version line content.

Edge servers as well as firewalled systems running various applications may be at risk, as queries may be submitted to the Log4j engine from other applications and potentially from outside the network.

Mitigation

Although the exploit has been addressed in Log4j 2.16.0, because versions above 2.3 are not currently compatible with OS/2’s available Java Runtime Engine, it is necessary to mitigate the condition by removing the JndiLookup class from the classpath, e.g.:

[c:\] zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Additional information

Older (pre-2.0-beta9) versions of Log4j lack this lookup class, and do not appear to be at risk for Log4Shell (though some earlier security advisories may have been issued). Further research may be needed based upon the version(s) of Log4j which may be in use on these earlier systems. Also, this is not the only security advisory for Log4j 2.0-beta9 – 2.3. This notification is only related to CVE-2021-44228.

Links

https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nakedsecurity.sophos.com/2021/12/10/log4shell-java-vulnerability-how-to-safeguard-your-servers/
https://www.kb.cert.org/vuls/id/930724

Warpstock 2021 Online

Tune in to Warpstock 2021 Online

Warpstock 2021 will happen online at 12:00pm EDT (16:00 UTC) this  Saturday, September 18.

Sessions will be a mix of live and prerecorded presentations, in 45-50-minute slots, scheduled to start on the hour.

David Azarewicz, Lewis Rosenthal, and Alex Taylor will be among those presenting this year on a variety of topics of interest concerning ArcaOS 5.0 and 5.1, device drivers, UEFI, GPT, and more.

Questions may be posed via YouTube Chat as well as IRC during the event.

The WarpEvents YouTube channel is the place to watch the event stream.

The URL for the #warpstock IRC channel is: ircs://irc.libera.chat:6697/warpstock (TLS encrypted),
or irc://irc.libera.chat/warpstock (plain text), or https://web.libera.chat/  (web interface, type #warpstock into Channel field).

The conference is entirely free this year, and no registration is necessary.

Warpstock Europe 2021

Join us for Warpstock Europe 2021 Online

Warpstock Europe 2021 will begin online at 14:00 UTC this coming Saturday, June 5. (For quick reference, that’s 10am EDT/7am PDT in the US and Canada, and 16:00 CET.)

Sessions will be a mix of live and prerecorded presentations, with the presenters available to answer questions in realtime, submitted during the event via IRC. See the Warpstock Europe website for details.

The Warpstock Europe YouTube channel is the place to watch the event stream. This channel should be viewable with any ArcaOS release, using Firefox or SeaMonkey, or any other device or OS you might want to use.

IRC Channel on Freenode: #WSE2021.

The conference is entirely free this year, and no registration is necessary.

Both Lewis Rosenthal and Alex Taylor will be among those presenting this year.

Warpstock 2020 Online

Tune in to Warpstock 2020 Online

Warpstock 2020 will happen online at 9:00am EST (14:00 UTC) this  Saturday, November 7, for those in North America and western Europe, and sessions will repeat in a second block beginning at 8:00pm EST (01:00 UTC, Sunday, November 8) for those in the Asia/Pacific region and eastern Europe. Each block should only be 3-4 hours in length.

Sessions will be a mix of live and prerecorded presentations, with the presenters available to answer questions in realtime, submitted during the event via IRC or YouTube chat.

The WarpEvents YouTube channel is the place to watch the event stream. This channel should be viewable with any ArcaOS release, using Firefox or SeaMonkey, or any other device or OS you might want to use.

IRC Channel: irc://freenode/warpstock

The conference is entirely free this year, and no registration is necessary.

Both David Azarewicz and Lewis Rosenthal will be among those presenting this year.

Have a question? Be sure to read our FAQs

We’ve discussed the wealth of specific information available in our wiki pages in previous blog posts here and here, but there is still another resource available to get quick answers to “how do I…” and other questions: the Arca Noae FAQ.

Searching the FAQ is easy: just type one or more terms into the search box at the top. To browse questions and answers by category, select one of the available categories from the list, and scroll. Another way to search the entire Arca Noae website is to just use the site search box to the right of most pages.

If a FAQ answer has been helpful, please be sure to let us know by clicking the appropriate feedback link at the bottom.

If you happen to find something which doesn’t seem quite right (outdated or perhaps in need of further explanation), please drop us a note to let us know. If you have a suggestion for something to add, please tell us. We continually add questions as they are asked more frequently (hey, it’s a FAQ, after all), and we’ll be sure to consider any suggestions.

Just as the links to the wiki and the ticket system, the FAQ is available from the Support dropdown on the main menu.

Visited the Arca Noae wiki pages recently?

A few months ago, in another blog post, we discussed some things to do before opening a support ticket, including visiting the wiki pages to check for the latest technical and how-to information for your product.

These pages are regularly updated, so even if you’ve looked over them before, they’re worth a re-read.

Web searches are fine, but unfortunately, much of the available information pertaining to OS/2 is either dated or more specifically related to non-ArcaOS distributions or non-Arca Noae drivers. Your first, best place for information on Arca Noae products is right here.

If you happen to find something which doesn’t seem quite right (screenshots or directions outdated), please drop us a note to let us know. If you have a suggestion for something to add (a tip, how-to, or even a missing wiki), please tell us. We keep a running list of pages to update and add, and we’ll be sure to consider any requests we receive.

As always, and as frequently mentioned here, before opening a trouble ticket, be sure to check the wiki pages (self-help is often the best help).

Extended service outage due to Tropical Storm Isaias

All systems are back online as of 5:00am EDT, following a blackout which began at approximately 2:25pm EDT, yesterday.

Power, fiber optic broadband, and even wireless communications were impacted by yesterday’s passing of Isaias, rendering even the best of contingency plans inadequate. We apologize for any inconvenience this may have caused.

About requests for support

Whenever you encounter a problem with Arca Noae software which you cannot resolve on your own, you should consider opening a trouble ticket. If you have a current ArcaOS Support & Maintenance subscription or a current OS/2 & eCS Drivers & Software subscription, we’re here to help in any way we can. You paid for professional support with your software license and/or subscription, and you are entitled to it. To provide that level of service, however, we need a little help from you.

Before opening your ticket, please consider whether the issue is really in Arca Noae software or perhaps in a third-party component bundled with ArcaOS. Third-party software is not produced or directly supported by Arca Noae. Look at the program’s documentation. Where does it say support requests should be directed? If it is third-party software, you should probably start there. On the other hand, if it is a third-party component but your problem seems to have stemmed from the manner in which it was installed during an ArcaOS installation or update, that would be a problem for us to at least review first, because it may involve our installation software (which is our component).

Please don’t take offense if we refer you to the program’s developer or distributor for support. Those entities are probably closer to the source code than we are, and thus in a better position to assist you with your problem. We’re not passing the buck, just trying to direct you to the best place for the help you need.

If your issue is with an Arca Noae component, please review that component’s wiki pages for information on supported configurations as well as debugging instructions. The more you do ahead of time, the more you will know and the more information you will have available when we request it in your ticket. Be sure you’re using the right driver for your hardware. Be sure your system is in a supported configuration.

As a general rule when opening tickets, you should familiarize yourself with our Reporting Problems – Best Practices and Ticket Guidelines wiki pages. While these pages don’t change often, they document the framework within which we process tickets, give you an overview of what to expect from us, and likewise, what we expect from you (see mention above of “a little help from you”).

When a technician or engineer has been assigned to your ticket, consider that person your concierge to a solution for the duration of your problem. He or she is there to help. If that technician or engineer requests logging information, that’s not a suggestion. He or she requests that information in order to resolve the problem.

Always bear in mind that not all problems are reproducible by the technician or engineer, or your problem could be a configuration or usage issue. Often the only objective information the technician or engineer has to work with is contained in the log file(s) requested. If the log file(s) contain what you consider to be sensitive information (usernames, IP addresses, etc.), simply ask the ticket assignee to set your ticket to private status. When private, only you, Arca Noae staff, and developers have access to the information. You also have the option of sanitizing your log info to your satisfaction, as long as such anonymizing does not obscure the underlying data (your ticket assignee can provide more guidance, here; just ask).

If you fail to provide requested information or log files, your ticket assignee may very well resolve the ticket as “reporter unresponsive.” You may reopen the ticket within 30 days of resolution if you provide the requested information. See this FAQ item for information on reopening resolved tickets.

When you attach files to a ticket, please also post a comment. File attachments do not trigger email notifications, and do not change ticket status from Feedback, so without a comment added, the technician or engineer will have no idea that you have provided the requested information, and this may delay the ticket resolution process.

Please do not provide extra, not-requested attachments, such as configuration files and screenshots. If your ticket assignee has need of this information, he or she will ask for it.

Our goal is to resolve your issue as quickly as possible. Some issues may require more time than others. Some issues require group input, and thus, there may be some delays in responding to your ticket. Please be patient.

Above all, our goal is to provide quality software and attentive, professional support. All we ask in return is that you follow the procedures we have put in place so that we may work as efficiently as possible, and you may get back to the business of enjoying your Arca Noae products.