Tag Archives: info

Apache Log4j vulnerability (CVE-2021-44228)

On Thursday, December 9, 2021, the Apache Log4j project disclosed a critical security vulnerability which may result in remote code execution on systems running Log4j. The exploit has been aptly named Log4Shell (CVE-2021-44228).

Log4j is a logging component which runs under Java on many different platforms, and is useful not only for Java applications, but for other programs, as well. It is commonly bundled with unrelated software, simply as a means of providing a standard logging engine.

Arca Noae has completed a scan of our internal systems and has determined that we are not affected by this vulnerability. Further, ArcaOS has never included any Log4j components, and is also unaffected. However, because the exploitable feature in Log4j has existed for some time, it is possible that Java and other applications may have been installed under ArcaOS which utilize Log4j, and these systems may be at risk.

The feature used for the Log4Shell exploit is in the JNDI (Java Naming and Directory Interface) lookup class which was added to Log4j several years ago during the 2.0 beta cycle. Log4j versions through 2.3 required only Java versions up to 1.6, and so may be utilized by some OS/2-compatible applications.

Risk assessment

To determine whether any of your OS/2 systems may be at risk, start by searching all accessible volumes for log4j-*.jar. If any are found, determine the version of Log4j by examining the content of META-INF/MANIFEST.MF in the core jar file:

[c:\] unzip -c log4j-core.jar META-INF/MANIFEST.MF | less

Note the Implementation-Version line content.

Edge servers as well as firewalled systems running various applications may be at risk, as queries may be submitted to the Log4j engine from other applications and potentially from outside the network.

Mitigation

Although the exploit has been addressed in Log4j 2.16.0, because versions above 2.3 are not currently compatible with OS/2’s available Java Runtime Engine, it is necessary to mitigate the condition by removing the JndiLookup class from the classpath, e.g.:

[c:\] zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Additional information

Older (pre-2.0-beta9) versions of Log4j lack this lookup class, and do not appear to be at risk for Log4Shell (though some earlier security advisories may have been issued). Further research may be needed based upon the version(s) of Log4j which may be in use on these earlier systems. Also, this is not the only security advisory for Log4j 2.0-beta9 – 2.3. This notification is only related to CVE-2021-44228.

Links

https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nakedsecurity.sophos.com/2021/12/10/log4shell-java-vulnerability-how-to-safeguard-your-servers/
https://www.kb.cert.org/vuls/id/930724

Adding Let’s Encrypt’s new root and intermediate certificates to Mozilla applications

On September 30, 2021, Let’s Encrypt’s DST Root CA X3 cross-sign expired, leaving many web browsers to report that sites using Let’s Encrypt SSL certificates were “untrusted” or “unknown.”

Let’s Encrypt did, in fact, implement a new root and intermediate certificates some time ago, but after the built-in certificate stores in the Mozilla applications shipped with all versions of ArcaOS 5.0 to date (5.0 through 5.0.6) were configured. Thus, these new certificates were not included in those builds, and as a result, the new root certificate is indeed unknown.

The fix is relatively simple, and a rather common procedure for all browsers and email clients. To bring your Firefox, Thunderbird, and SeaMonkey certificate stores up to date, and learn how to do this for other new certificates as they become available, we’ve added a new wiki page, here.

Edited to add links to further information (off-site):

Let’s Encrypt – Chain of Trust
Let’s Encrypt – DST Root CA X3 Expiration (September 2021)

Tune in to Warpstock 2021 Online

Warpstock 2021 will happen online at 12:00pm EDT (16:00 UTC) this Saturday, September 18.

Sessions will be a mix of live and prerecorded presentations, in 45-50-minute slots, scheduled to start on the hour.

David Azarewicz, Lewis Rosenthal, and Alex Taylor will be among those presenting this year on a variety of topics of interest concerning ArcaOS 5.0 and 5.1, device drivers, UEFI, GPT, and more.

Questions may be posed via YouTube Chat as well as IRC during the event.

The WarpEvents YouTube channel is the place to watch the event stream.

The URL for the #warpstock IRC channel is: ircs://irc.libera.chat:6697/warpstock (TLS encrypted),
or irc://irc.libera.chat/warpstock (plain text), or https://web.libera.chat/ (web interface, type #warpstock into Channel field).

The conference is entirely free this year, and no registration is necessary.

Join us for Warpstock Europe 2021 Online

Warpstock Europe 2021 will begin online at 14:00 UTC this coming Saturday, June 5. (For quick reference, that’s 10am EDT/7am PDT in the US and Canada, and 16:00 CET.)

Sessions will be a mix of live and prerecorded presentations, with the presenters available to answer questions in realtime, submitted during the event via IRC. See the Warpstock Europe website for details.

The Warpstock Europe YouTube channel is the place to watch the event stream. This channel should be viewable with any ArcaOS release, using Firefox or SeaMonkey, or any other device or OS you might want to use.

IRC Channel on Freenode: #WSE2021.

The conference is entirely free this year, and no registration is necessary.

Both Lewis Rosenthal and Alex Taylor will be among those presenting this year.

Announcement concerning recently discovered vulnerabilities in the SolarWinds Orion platform

There have been multiple news reports about the US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) confirming that malicious threat actors have been and are actively exploiting vulnerabilities in SolarWinds Orion products, primarily by leveraging the SUNBURST malware.

SolarWinds Orion is an IT monitoring solution.

Arca Noae does not now, nor have we ever used any SolarWinds products. As a result, our customers’ information is not vulnerable to these exploits.

We strongly advise our enterprise clients who may be using the Orion platform to review available firewall updates to keep your internal systems secure. As always, Arca Noae stands ready to assist in assessing the overall security of your OS/2 infrastructure.

More information (including CVE links) may be found on the CISA page.

Tune in to Warpstock 2020 Online

Warpstock 2020 will happen online at 9:00am EST (14:00 UTC) this Saturday, November 7, for those in North America and western Europe, and sessions will repeat in a second block beginning at 8:00pm EST (01:00 UTC, Sunday, November 8) for those in the Asia/Pacific region and eastern Europe. Each block should only be 3-4 hours in length.

Sessions will be a mix of live and prerecorded presentations, with the presenters available to answer questions in realtime, submitted during the event via IRC or YouTube chat.

The WarpEvents YouTube channel is the place to watch the event stream. This channel should be viewable with any ArcaOS release, using Firefox or SeaMonkey, or any other device or OS you might want to use.

IRC Channel: irc://freenode/warpstock

The conference is entirely free this year, and no registration is necessary.

Both David Azarewicz and Lewis Rosenthal will be among those presenting this year.

Final Reminder: Reinstate your expired ArcaOS Support & Maintenance subscription now

This is your final reminder that the window of opportunity to reinstate an expired ArcaOS Support & Maintenance subscription at a special price is closing Monday May 18.

Previously, it was impossible to reinstate an expired ArcaOS Support & Maintenance subscription that had been expired for longer than 1 year. That restriction has now been removed. It is now possible to reinstate an expired subscription. Through Monday May 18 you can reinstate an expired ArcaOS Support & Maintenance subscription for the price of a regular one year renewal. After May 18, an additional reinstatement fee will apply. So take advantage of this limited amnesty period and get your subscription back on track before it’s too late.

Even if you’ve never updated ArcaOS 5.0 since your first install, as long as you have an active Support & Maintenance subscription, you may download the latest 5.0.x release and install it as an update to whatever 5.0 release you are using. There is no additional licensing fee for downloading and using these updates.

Somehow, this always seems like something of a mystery, even though this wiki page should help clarify what is a major version, a minor version, and a release. This product in our store outlines the renewal process and this table lays out just what is included in each subscription.

One of the many benefits of regularly renewing your ArcaOS Support & Maintenance subscription is access to the latest released code. There are many exciting things coming for our subscribers. Don’t miss out on a great opportunity to get those updates and the next ArcaOS release as part of your renewed subscription.

ArcaOS Support & Maintenance subscription renewal window is closing

If you’ve let your ArcaOS Support & Maintenance subscription lapse, now is the time to get back on track.

Until now, if you let your ArcaOS Support & Maintenance subscription expire, you would need to purchase a new ArcaOS license to reinstate support. We are making some changes to enable customers to reinstate an ArcaOS Support & Maintenance subscription without purchasing a new ArcaOS license.

For a limited time, we are allowing all who have allowed their ArcaOS Support & Maintenance subscriptions to expire — no matter how long expired — to reinstate them at current prices…but this window is closing rapidly. Once ArcaOS 5.0.5 is released (and that release is imminent), current ArcaOS licensees who have let their subscriptions lapse for six months or more will have to pay more to have their subscriptions reinstated for another full year. While this will still be less than the cost of purchasing a new license, it will be substantially more than the regular renewal price. This policy applies to personal as well as commercial licenses.

Please take a moment to log into your account at Arca Noae, locate your original ArcaOS order, and check to see when support is scheduled to expire (or has already expired) for your product. It is currently only possible to purchase one year of support per renewal, and only for the same number and type of ArcaOS licenses as were in the original order.

To review:

The cost of renewing ArcaOS Support & Maintenance subscriptions is not changing. You will continue to be able to renew your subscription for the same price, and you will still be able to take advantage of the 10% early renewal discount (this discount is reflected in the invoice total).
If you let your ArcaOS Support & Maintenance subscription expire, you will be able to reinstate it by paying the full renewal price any time withing six months of the expiration date. However, during this grace period, the subscription will only be reinstated for the original time period. You will not get “extra” time by reinstating your subscription late. In other words, if you renew on the last day of a six-month lapse would only extend coverage for six months!
If you let your ArcaOS Support & Maintenance subscription lapse for more than six months, the cost of a one-year personal edition Support & Maintenance subscription will retail for $128. For a commercial subscription, the price would be $228.

So if you have let your ArcaOS Support & Maintenance subscription lapse, now is the time to reinstate it. We urge all ArcaOS licensees to renew support early and take advantage of the 10% renewal discount for the best value in their subscriptions.

The online store should send renewal reminders 7 days before expiration, 3 days before, and finally on the expiration date; however, several factors may impact delivery or receipt of these reminders, including change of email address, spam filters, and other factors beyond our control. Check your account portal and make a note of your expiration date(s) so you don’t miss out!

Remember what your active Support & Maintenance subscription includes:

Access to professional support for your product (elevated priority for commercial licensees);
Access to the very latest drivers, fixes, features, and software included in ArcaOS or added later;
Access to the latest release of the same minor version of ArcaOS as originally purchased (so, a Support & Maintenance subscription for ArcaOS 5.0 provides access to all 5.0 releases, as they become available: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, and the upcoming 5.0.5);
Future benefits when the next minor release of ArcaOS becomes available (5.1).

For more information on subscription services, check out our comparison page.

Driver and Software Preview Releases: Some General Guidelines

From time to time, we may make feature preview releases available. Driver and software preview releases differ from new GA releases and testcase packages in several ways. Consider testcase packages first:

Packages uploaded to the testcase files area are made available to specific customers to evaluate the effectiveness of various changes to our GA versions, usually to address one or more issues reported in specific trouble tickets. Feedback from the affected customer(s) is requested when we provide these packages, and these links are limited to only the custmer(s) involved in the related ticket(s), not for general use, and as always, not for sharing with other users.
Sometimes, we may go through several testcase revisions. Usually changes which have been vetted through this process will end up in the next GA of the package. Once the GA is released, all customers with related subscription access to the new package will be able to download and install it.
Testcase packages are almost always time-limited, and the remaining time will be prominently displayed in the banner during bootup or for other software, at program start. If a new GA of the package is not available when nearing the expiration, simply follow-up in the ticket to request a refresh.

In contrast, preview releases serve a different purpose and are subject to different terms of use:

Preview releases are made available to all customers with related subscription access.
Preview releases generally are not updated (one preview is provided before GA).
Preview releases may be time-limited. If a preview release is time-limited, that does not mean that another preview will be made available.
If a time-limited preview release has expired and a GA version has not yet been released, it may be necessary to uninstall it.
No trouble tickets are accepted for problems with preview releases. These are not beta tests. A preview may simply be feature-limited version of what would otherwise be considered finished software, or it may be a preview of as-yet-unfinished software that will be coming soon. Because these releases are previews – and may not be fully functional – reports of missing functionality, unexpected behavior, etc. are not relevant and will not be addressed. Please read the documentation that comes with the preview for a description of its particular limitations.
Preview releases may be completely broken or disabled by a subsequent update of another related GA package. As an example, if installing a preview release of a network driver, and later updating the network stack package, that preview release driver may cease to function. This is not unexpected behavior, and not a software fault. To continue to use the preview, simply return the system to its previous state, wait for the GA release of the driver, and then update the driver and the rest of the stack.
No feedback via email or tickets is requested for preview releases. They are for your benefit and use only, and intended to provide a sample of what is to come.

In the near future, we hope to bring preview releases for various works in later stages of development.

All previews will be available through the ArcaOS Support and Maintenance Subscription, However, some preview packages may not be available through the Arca Noae OS/2 & eCS Drivers and Software Subscription, so now may be a good time to consider moving up to ArcaOS.

Arca Noae progress report: ArcaOS in your language

Translation work continues for ArcaOS. General availability of German and Spanish editions of ArcaOS are anticipated for the 5.0.5 release, with more languages slated to follow. We are making tremendous strides toward achieving the goal of a non-English reader to be able to install and run ArcaOS with minimal effort.

Translators are invited to join a core team working on the project. If you have the linguistic skills, enjoy a challenge, and would like to participate in a truly fun and rewarding endeavor, please let us know. Translators automatically become members of the test team, with early access to development releases (among other benefits).

Potential localized versions of ArcaOS include:

German
Spanish
French
Italian
Dutch
Portuguese
Japanese
Chinese (Simplified)
Chinese (Traditioinal)
Korean
Russian

(This is by no means a promise to deliver any of the above. Partial work has at least been done on most of the above translations, however.)

Need a language not listed above? Need one of the above languages completed sooner? Talk to us about specific localization needs for your enterprise.

Don’t have ArcaOS yet? Now is a great time to pick up a license or two and replace that aging Warp 4 or eComStation installation and get to know what’s new and improved. ArcaOS runs the vast majority of existing OS/2 Warp 4 software, because it really is OS/2 – just better. ArcaOS supports more modern hardware than any other OS/2 distribution available today, making hardware upgrades much easier than ever before.