Stay Informed

This week, read about:

Key Security, Maintenance, and Features Releases

Security Based Updates

Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:

We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!

Jenkins 2.442
Arbitrary file read vulnerability through the CLI can lead to RCE
SECURITY-3314 / CVE-2024-23897 
Severity (CVSS): Critical 
Description:

  • Jenkins has a built-in command line interface (CLI) to access Jenkins from a script or shell environment.
  • Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.
  • This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.
  • Attackers with Overall/Read permission can read entire files.
  • Attackers without Overall/Read permission can read the first few lines of files. The number of lines that can be read depends on available CLI commands. As of publication of this advisory, the Jenkins security team has found ways to read the first three lines of files in recent releases of Jenkins without having any plugins installed, and has not identified any plugins that would increase this line count.
  • Binary files containing cryptographic keys used for various Jenkins features can also be read, with some limitations (see note on binary files below). As of publication, the Jenkins security team has confirmed the following possible attacks in addition to reading contents of all files with a known file path. All of them leverage attackers' ability to obtain cryptographic keys from binary files, and are therefore only applicable to instances where that is feasible.

Apache Cassandra 4.0.12
* Skip version check if an endpoint is dead state in Gossiper#upgradeFromVersionSupplier (CASSANDRA-19187)
* Fix Gossiper::hasMajorVersion3Nodes to return false during minor upgrade (CASSANDRA-18999)
* Revert unnecessary read lock acquisition when reading ring version in TokenMetadata introduced in CASSANDRA-16286 (CASSANDRA-19107)
* Support max SSTable size in sorted CQLSSTableWriter (CASSANDRA-18941)
* Fix nodetool repair_admin summarize-pending command to not throw exception (CASSANDRA-19014)
* Fix cassandra-stress in simplenative mode with prepared statements (CASSANDRA-18744)
* Fix filtering system ks sstables for relocation on startup (CASSANDRA-18963)
* Remove completed coordinator sessions (CASSANDRA-18903)
* Make StartupConnectivityChecker only run a connectivity check if there are no nodes which are running a version prior to Cassandra 4 (CASSANDRA-18968)
* Retrieve keyspaces metadata and schema version concistently in DescribeStatement (CASSANDRA-18921)
* Gossip NPE due to shutdown event corrupting empty statuses (CASSANDRA-18913)
* Synchronize CQLSSTableWriter#build on the Schema.instance object (CASSANDRA-18317)
* Fix closing iterator in SecondaryIndexBuilder (CASSANDRA-18361)
* Update hdrhistogram to 2.1.12 (CASSANDRA-18893)
* Improve performance of compactions when table does not have an index (CASSANDRA-18773)
* JMH improvements - faster build and async profiler (CASSANDRA-18871)
* Enable 3rd party JDK installations for Debian package (CASSANDRA-18844)
* Fix NTS log message when an unrecognized strategy option is passed (CASSANDRA-18679)
* Fix BulkLoader ignoring cipher suites options (CASSANDRA-18582)
* Migrate Python optparse to argparse (CASSANDRA-17914)

Merged from 3.11:
* Fix delayed SSTable release with unsafe_aggressive_sstable_expiration (CASSANDRA-18756)
* Revert CASSANDRA-18543 (CASSANDRA-18854)
* Fix NPE when using udfContext in UDF after a restart of a node (CASSANDRA-18739)
* Moved jflex from runtime to build dependencies (CASSANDRA-18664)

Merged from 3.0:
* Suppress CVE-2023-6378 (CASSANDRA-19142)
* Do not set RPC_READY to false on transports shutdown in order to not fail counter updates for deployments with coordinator and storage nodes with transports turned off (CASSANDRA-18935)
* Suppress CVE-2023-44487 (CASSANDRA-18943)
* Fix nodetool enable/disablebinary to correctly set rpc readiness in gossip (CASSANDRA-18935)
* Implement the logic in bin/stop-server (CASSANDRA-18838)
* Upgrade snappy-java to 1.1.10.4 (CASSANDRA-18878)
* Add cqlshrc.sample and credentials.sample into Debian package (CASSANDRA-18818)
* Refactor validation logic in StorageService.rebuild (CASSANDRA-18803)
* Make alternation of a user type validate the same way as creation of a user type does (CASSANDRA-18585)
* Backport of CASSANDRA-16905 Further restrict schema column drop/recreate conversions (CASSANDRA-18760)
* CQLSH emits a warning when the server version doesn't match (CASSANDRA-18745)
* Fix missing speculative retries in tablestats (CASSANDRA-18767)
* Fix Requires for Java for RPM package (CASSANDRA-18751)
* Fix CQLSH online help topic link (CASSANDRA-17534)
* Remove unused suppressions (CASSANDRA-18724)

Non-Security Based Updates

ActiveMQ Artemis 2.32.0
Bug:
* [ARTEMIS-4415] - org.apache.activemq.artemis.tests.integration.server.LVQTest#testMultipleMessages fails intermittently
* [ARTEMIS-4585] - Mirror may fail with previously created SNF queues if metrics plugin is in use

Improvement:
* [ARTEMIS-4579] - Add the *FirstMessage* API for scheduled messages

Docker Compose 2.24.3
Internal:
introduce stopAndRemoveContainer to share logic scaling down

Grafana 10.3.1
-Navigation updates*
-Table data in PDF reports
-Dashboards and visualizations
-Canvas visualization supports pan and zoom
-Data visualization quality of life improvements
-New Transformations UI experience and documentation upgrades
-Profiles
-Alerting

Wildfly 31.0.0
Application Server Features

  • MicroProfile updates — We’ve updated our MicroProfile subsystems to the versions in MicroProfile 6.1. (We don’t support MicroProfile Metrics, so we are not a compatible MicroProfile 6.1 Platform implementation, but otherwise we do aim to keep up with the platform).
  • Hibernate — I always hear a lot of community demand for updates to our Hibernate integration, so I’m pleased that in WildFly 31 we were able to move from Hibernate ORM 6.2 up to the 6.4.2 release, the latest available ORM version. Along with that we were able to move to Hibernate Search 7.0.
  • Jakarta MVC 2.1 — In WildFly Preview we added support for Jakarta MVC, using the implementation provided by the Eclipse Krazo project. WildFly Preview provides a new mvc-krazo subsystem, along with a new mvc-krazo Galleon layer that you can add to your provisioning configuration. Please try it out and give us feedback. We hope to bring this subsystem to standard WildFly later this year.
  • AMQP and Reactive Messaging — The MicroProfile Reactive Messaging subsystem now allows exchanging of messages with an AMQP broker via version 1.0 of the AMQP protocol.
  • Subsystem authoring — WildFly Core 23 now includes two new Maven modules, subsystem and service. Both of these aim to make developing and maintaining WildFly extensions easier and more productive. The subsystem module library assists you in writing a proper subsystem configuration model and management API, while the service module helps you properly integrate your subsystem with WildFly’s service container.
  • Stability levels — WildFly 31 introduces the notion of server functionality having four different stability levels (experimental, preview, community, default), with users having the ability when starting WildFly to opt into making less stable features available, or to restrict WildFly to only providing the most stable features. This is part of the overall feature development strategy I outlined last November. In WildFly 31 we’re just getting started with this — introducing the core capability to the server and adding one new feature at the community stability level…​.
  • Configuration export — That community level feature allows you to use the CLI to export a WildFly server’s configuration to a file that can then be used for another server. WildFly has long allowed you to read the server configuration in the CLI, but the presentation format was not well suited to taking the information and using it elsewhere. This has been enhanced. A particular use case for this would be exporting a domain-mode server’s configuration, where the resulting file can be used to run an equivalent standalone server.

Keycloak 23.0.5
Fix compilation error with ServerInfoAdminResource
Fix logic error in AbstractOAuth2IdentityProvider
fixed possible undefined enabled flag
Fix search in group picker dialog
Fix missing CRD metadata in Operator CSV
Fix typo in the balloon help of SAML Username Template Importer
Revert "Fix lowerCaseHostname to lower-case scheme and host properly"

Node.js 21.6.1
This release fixes a bug in undici using WebStreams
Commits:
[662ac95729] - Revert "stream: fix cloned webstreams not being unref'd" (Matteo Collina) #51491

Prometheus 2.45.3
This release contains security fixes in dependencies and has been built with go1.21.6. #13450.
[BUGFIX] TSDB: Remove double memory snapshot on shutdown. #13110

View all OpenUpdate editions >