Tag Archives: tech

Apache Log4j vulnerability (CVE-2021-44228)

On Thursday, December 9, 2021, the Apache Log4j project disclosed a critical security vulnerability which may result in remote code execution on systems running Log4j. The exploit has been aptly named Log4Shell (CVE-2021-44228).

Log4j is a logging component which runs under Java on many different platforms, and is useful not only for Java applications, but for other programs, as well. It is commonly bundled with unrelated software, simply as a means of providing a standard logging engine.

Arca Noae has completed a scan of our internal systems and has determined that we are not affected by this vulnerability. Further, ArcaOS has never included any Log4j components, and is also unaffected. However, because the exploitable feature in Log4j has existed for some time, it is possible that Java and other applications may have been installed under ArcaOS which utilize Log4j, and these systems may be at risk.

The feature used for the Log4Shell exploit is in the JNDI (Java Naming and Directory Interface) lookup class which was added to Log4j several years ago during the 2.0 beta cycle. Log4j versions through 2.3 required only Java versions up to 1.6, and so may be utilized by some OS/2-compatible applications.

Risk assessment

To determine whether any of your OS/2 systems may be at risk, start by searching all accessible volumes for log4j-*.jar. If any are found, determine the version of Log4j by examining the content of META-INF/MANIFEST.MF in the core jar file:

[c:\] unzip -c log4j-core.jar META-INF/MANIFEST.MF | less

Note the Implementation-Version line content.

Edge servers as well as firewalled systems running various applications may be at risk, as queries may be submitted to the Log4j engine from other applications and potentially from outside the network.

Mitigation

Although the exploit has been addressed in Log4j 2.16.0, because versions above 2.3 are not currently compatible with OS/2’s available Java Runtime Engine, it is necessary to mitigate the condition by removing the JndiLookup class from the classpath, e.g.:

[c:\] zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Additional information

Older (pre-2.0-beta9) versions of Log4j lack this lookup class, and do not appear to be at risk for Log4Shell (though some earlier security advisories may have been issued). Further research may be needed based upon the version(s) of Log4j which may be in use on these earlier systems. Also, this is not the only security advisory for Log4j 2.0-beta9 – 2.3. This notification is only related to CVE-2021-44228.

Links

https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nakedsecurity.sophos.com/2021/12/10/log4shell-java-vulnerability-how-to-safeguard-your-servers/
https://www.kb.cert.org/vuls/id/930724

FAT32 Driver Package version 5.0.4 refreshed

We have identified a minor packaging issue with the FAT32 5.0.4 release which may impact systems using non-English language settings (%LANG% variable). The issue prevents the FAT32 message file from being installed with the driver, and removes any existing FAT32 message file. The refreshed package resolves this condition.

If you downloaded the 5.0.4 package prior to this announcement and your CONFIG.SYS includes a SET LANG statement which is something other than en_US, you should re-download the FAT32 installer from your subscription downloads page.

There are no binary differences between the content of this refreshed package and the original 5.0.4 release, and systems which are configured for LANG=en_US are entirely unaffected (no need for a re-install).

Please read the FAT32 wiki and the ReadMe for additional details and before installing this software.

The FAT32 Installable File System Driver Package is open source, licensed under the GNU LGPLv2.1, with source code publicly available (see the FAT32 wiki for details).

This is not the same driver as distributed by Netlabs, and cannot coexist with components of the Netlabs FAT32 driver. Please uninstall the Netlabs driver first if you wish to install the Arca Noae FAT32 driver.

If you have ArcaOS, this driver package is available for download from the Arca Noae website as part of the Support & Maintenance subscription for your ArcaOS product. Please log into your account and see your ArcaOS order details page to access your software.

If you have an Arca Noae OS/2 & eCS Drivers and Software Subscription, this driver package is available for download from the Arca Noae website as part of your Arca Noae OS/2 & eCS Drivers and Software Subscription. Please log into your account in order to access your software.

If you are still running OS/2 and/or eComStation systems and haven’t yet purchased a software subscription, this is a great reason to do so now. It may also be a good time to consider moving up to ArcaOS.

USB driver package version 12.10 now available

Arca Noae is pleased to announce the immediate availability of release 12.10 of our USB stack.

This is a maintenance release that contains some significant fixes.

In USBPRT a problem was fixed that can cause this driver to hang in certain situations.
In USBMSD a problem was fixed that prevented some devices with removable media (like USB floppies and USB CD/DVD drives) from being attached properly.
In USBD a problem was fixed with device enumeration that would cause intermittent problems attaching new devices.
In USBXHCD a change was made to how endpoints are initially configured. This change fixes some device attach failures.

Most people will see no change in operation after installing this update. See the package readme.txt for details. This update is recommended for all users.

As usual, this release is update only. It will only update an existing installation. More information about the USB drivers can be found in the wiki.

If you have problems with any of the drivers in this release, please read the Troubleshooting Guide in the wiki first. If your problem cannot be resolved with the Troubleshooting Guide, then the problem should be reported in the ticketing system.

FAT32 Driver Package version 5.0.4 released

Arca Noae is pleased to announce the immediate availability of our fork of the FAT32 Installable File System Driver Package for OS/2 version 5.0.4. Arca Noae wishes to thank Gregg Young for his work on this update.

Highlights of this release include:

Fixed version string buffer overflow
CHKDSK now fixes bad media descriptors (a minor filesystem error)
Added /exclude command line switch to IFS to turn off lazy write on a per-disk basis
Fixed /Q so it actually is quiet
Fixed write failure when cache isn’t enabled
Fixed FAT32’s propensity to claim it can handle FAT12/16 volumes

Please read the FAT32 wiki and the ReadMe for additional details and before installing this software.

The FAT32 Installable File System Driver Package is open source, licensed under the GNU LGPLv2.1, with source code publicly available (see the FAT32 wiki for details).

Tune in to Warpstock 2021 Online

Warpstock 2021 will happen online at 12:00pm EDT (16:00 UTC) this Saturday, September 18.

Sessions will be a mix of live and prerecorded presentations, in 45-50-minute slots, scheduled to start on the hour.

David Azarewicz, Lewis Rosenthal, and Alex Taylor will be among those presenting this year on a variety of topics of interest concerning ArcaOS 5.0 and 5.1, device drivers, UEFI, GPT, and more.

Questions may be posed via YouTube Chat as well as IRC during the event.

The WarpEvents YouTube channel is the place to watch the event stream.

The URL for the #warpstock IRC channel is: ircs://irc.libera.chat:6697/warpstock (TLS encrypted),
or irc://irc.libera.chat/warpstock (plain text), or https://web.libera.chat/ (web interface, type #warpstock into Channel field).

The conference is entirely free this year, and no registration is necessary.

USB driver package version 12.09 now available

USB Arca Noae is pleased to announce the immediate availability of release 12.09 of our USB stack.

This is a maintenance release that fixes a few minor issues and it has some minor enhancements. Most people will see no change in operation after installing this update. See the package readme.txt for details. This update is recommended for all users.

As usual, this release is update only. It will only update an existing installation. More information about the USB drivers can be found in the wiki.

Updated Uniaud Driver Package (20210731) Released

Arca Noae is pleased to announce the immediate availability of an updated Uniaud Audio Driver Package for ArcaOS, OS/2, and eComStation. (Uniaud-20210731)

This release is a minor update that contains a new Uniaud32 which is based on code from the Linux 5.10.50 kernel. Arca Noae thanks and appreciates Paul Smedley for his work on this update.

Please read the Uniaud wiki and the ReadMe for additional details and before installing this software.

Uniaud is free software and is available from several places.

The Uniaud software is also available from the Netlabs Uniaud trac page at trac.netlabs.org/uniaud.

ArcaOS Kernel 14.203 SMP released

Arca Noae is pleased to announce the immediate availability of an updated SMP kernel version 14.203 for ArcaOS. For convenience, the package also contains the previously released W4 kernel version 14.201 for ArcaOS.

This release contains the following changes:

Fixed a defect that can cause a double trap on a busy system.

This release is an update for ArcaOS users only. This package contains both the new SMP kernel version 14.203 and the previously released W4 kernel version 14.201. The installer checks your system to see which kernel you have installed and applies the appropriate update automatically. This way you can use this one package to update any ArcaOS system automatically without needing to know which kernel you have.

Warning: Do not install this kernel if you are using ACPI.PSD version 3.23.14 or lower. ACPI.PSD versions 3.23.14 and lower will not recognize this kernel and your system may not boot. If you have ACPI.PSD version 3.23.14 or lower installed, update using the latest ACPI Driver Package (currently v3.23.16) first. Then you can install this kernel. The installer checks this and shows a warning if an incompatible PSD is running.

If you are still running OS/2 and/or eComStation systems and haven’t yet moved up to ArcaOS, this might be a great reason to do so now. This update is not available for nor licensed for use with OS/2 or eComStation.

Join us for Warpstock Europe 2021 Online

Warpstock Europe 2021 will begin online at 14:00 UTC this coming Saturday, June 5. (For quick reference, that’s 10am EDT/7am PDT in the US and Canada, and 16:00 CET.)

Sessions will be a mix of live and prerecorded presentations, with the presenters available to answer questions in realtime, submitted during the event via IRC. See the Warpstock Europe website for details.

The Warpstock Europe YouTube channel is the place to watch the event stream. This channel should be viewable with any ArcaOS release, using Firefox or SeaMonkey, or any other device or OS you might want to use.

IRC Channel on Freenode: #WSE2021.

The conference is entirely free this year, and no registration is necessary.

Both Lewis Rosenthal and Alex Taylor will be among those presenting this year.

ACPI Driver Package version 3.23.16 released

Arca Noae is pleased to announce the immediate availability of our ACPI Driver Package for ArcaOS, OS/2, and eComStation version 3.23.16.

This release contains the following changes:

Enhanced the memory type sync function to handle more complex memory type changes on SMP systems.
Added limited disabled interrupt fixup for some rare BIOS problems.
Enhanced some debugging options.
Updated to the latest ACPICA.

Please see the ACPI Driver ReadMe for details about this update.

This is considered a critical maintenance update that is recommended for everyone.