The Apache Software Foundation Blog

Monday March 07, 2022

The Apache Weekly News Round-up: week ending 4 March 2022

We're opening March with a cracking week. Here's what the Apache community has been up to:

Sponsor Apache – a number of tax-deductible sponsorships help offset the ASF's day-to-day operating expenses that include infrastructure support, bandwidth, connectivity, servers, hardware, development environments, legal counsel, accounting services, trademark protection, marketing and publicity, educational events, and more.
 - The Apache Software Foundation Welcomes VMware as its Newest Platinum Sponsor

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Announcing New ASF Board of Directors, elected during this week's Members' Meeting.
 - Next Board Meeting: 16 March 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 332 Apache Committers changed 880,561 lines of code over 3,128 commits. Top 5 contributors, in order, are: Olivier Lamy, Andrea Cosentino, Claus Ibsen, Sebastian Rühl, and Eric Milles. 

Apache Project Announcements – the latest updates by category.

Application Servers/Middleware --
 - Apache Karaf Decanter 2.9.0 released

Content --
 - Apache Jackrabbit Oak 1.22.11 released
 - Apache POI 5.2.1 released
 - CVE-2022-26336: poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception 

FinTech --
 - Apache Fineract 1.6.0 released

Libraries --
 - Apache PDFBox JBIG2 ImageIO plugin 3.0.4 released

Logging Services --
 - Apache Log4j 2.17.2 released

Network Application Framework --
 - Apache MINA FtpServer 1.1.3 released

Servers --
 - Apache Tomcat 9.0.59, 10.0.17 and 10.1.0-M11 (alpha) released 

Workflow --
 - CVE-2021-45229: Apache Airflow: Reflected XSS via Origin Query Argument in URL


Did You Know?

- Did you know that the Apache Ignite community's CFP for IgniteSummit (taking place online 14 June) closes on 29 April?

- Did you know that HugeGraph (incubating), a large-scale and easy-to-use graph database that stores and queries billions of vertices and edges, is the newest podling undergoing development in the Apache Incubator?

- Did you know that the ASF manages 2,180 mailing lists, 486 of which are private? Over the past year, 19,053 authors sent 1,946,990 emails on 869,461 topics! 

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: January 2022 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, Planet Apache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Thursday March 03, 2022

Announcing New ASF Board of Directors

At The Apache Software Foundation (ASF) Annual Members' Meeting held this week, the following individuals were elected to the ASF Board of Directors:

  • Rich Bowen (former Director)
  • Bertrand Delacretaz (current Director)
  • Christofer Dutz (new Director)
  • Roy T. Fielding (current Director)
  • Sharan Foga (current Director)
  • Willem Jiang (new Director)
  • Sam Ruby (current Director)
  • Roman Shaposhnik (current Director)
  • Sander Striker (current Director)


The ASF thanks Justin Mclean, Craig Russell, and Sheng Wu for their service, and welcomes our new and returning directors.

An overview of the ASF's governance, along with the complete list of ASF Board of Directors, Executive Officers, and Project/Committee Vice Presidents, can be found at http://apache.org/foundation/ 

For more information on the Foundation's operations and structure, see http://apache.org/foundation/how-it-works.html#structure 

# # #

The Apache Software Foundation Welcomes VMware as its Newest Platinum Sponsor

Wilmington, DE —3 March 2022— The Apache® Software Foundation (ASF) today welcomed VMware® as its latest sponsor at the Platinum level.

"We are happy to welcome VMware as a Platinum Sponsor," said Bob Paulin, ASF Vice President Fundraising. "Sponsoring the ASF provides essential funds and services that enable us to support more than 300 Apache Projects and their communities on a day-to-day basis. We are grateful for VMware's generosity as it helps us further our mission of providing software for the public good."

"Some of the most important open source projects are ASF projects. VMware customers build and deploy a wide range of products built using the Apache HTTP Server, Tomcat, and Geode, among others," said Dawn Foster, Director of Open Source Community Strategy at VMware. "We are delighted to support the ASF with our sponsorship in addition to the contributions our team members have been making to projects like Apache Geode. It is important to support neutral foundations, like the ASF, that create a level playing field for open source projects where we can all collaborate together as equals."

VMware joins the following organizations:

ASF Sponsors

  • Platinum level --Amazon Web Services, Facebook, Google, Huawei, Microsoft, Namebase, Pineapple Fund, Tencent Cloud, and Yahoo!; 
  • Gold level --Anonymous, Baidu, Bloomberg, Cloudera, Confluent, IBM, Indeed, Union Investment, and Workday;
  • Silver level --Aetna, Alibaba Cloud Computing, Capital One, Comcast, Didi Chuxing, LINE Corporation, Red Hat, Replicated, Talend, and Target;
  • Bronze level --Bestecasinobonussen.nl, Cafe24, Cerner, Crafter CMS, Curity, Goread.io Followers, GridGain, HotWax Systems, LeoVegas Indian Online Casino, Miro-Kredit AG, Paf, PureVPN, RX-M, RenaissanceRe, Sentry, Software Guru DevRel, Technology Innovation Institute, The Blog Starter, Twitter, and Writers Per Hour.

Targeted Sponsors

  • Platinum level --Amazon Web Services, CloudBees, DLA Piper, Fastly, GitHub, JetBrains, JFrog, Leaseweb, Microsoft, OSU Open Source Labs, Sonatype, and Yahoo!;
  • Gold level --Atlassian, Datadog, DinoSource, Docker, and PhoenixNAP;
  • Silver level --Hotwax Systems, Instaclustr, Rackspace, Xiaomi;
  • Bronze level --Education Networks of America, Friend of Apache Cordova, Google, Hopsie, No-IP, PagerDuty, Peregrine Computer Consultants Corporation, Sonic.net, SURFnet, and Virtru.

For more information on becoming a Sponsor of the ASF, please see http://apache.org/foundation/sponsorship.html

About The Apache Software Foundation (ASF)
Established in 1999, The Apache Software Foundation is the world’s largest Open Source foundation, stewarding 227M+ lines of code and providing more than $22B+ worth of software to the public at 100% no cost. The ASF’s all-volunteer community grew from 21 original founders overseeing the Apache HTTP Server to 820+ individual Members and 200 Project Management Committees who successfully lead 350+ Apache projects and initiatives in collaboration with 8,400+ Committers through the ASF’s meritocratic process known as "The Apache Way". Apache software is integral to nearly every end user computing device, from laptops to tablets to mobile devices across enterprises and mission-critical applications. Apache projects power most of the Internet, manage exabytes of data, execute teraflops of operations, and store billions of objects in virtually every industry. The commercially-friendly and permissive Apache License v2 is an Open Source industry standard, helping launch billion dollar corporations and benefiting countless users worldwide. The ASF is a US 501(c)(3) not-for-profit charitable organization funded by individual donations and corporate sponsors that include Aetna, Alibaba Cloud Computing, Amazon Web Services, Anonymous, Baidu, Bloomberg, Capital One, Cloudera, Comcast, Confluent, Didi Chuxing, Facebook, Google, Huawei, IBM, Indeed, LINE Corporation, Microsoft, Namebase, Pineapple Fund, Red Hat, Replicated, Talend, Target, Tencent, Union Investment, VMware, Workday, and Yahoo!. For more information, visit http://apache.org/ and https://twitter.com/TheASF

© The Apache Software Foundation. "Apache" and "ApacheCon" are registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. All other brands and trademarks are the property of their respective owners.

# # #

Monday February 28, 2022

The Apache Weekly News Round-up: week ending 25 February 2022

Farewell, February --we're wrapping up the month with another great week. Here are the latest updates on the Apache community's activities:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 March 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 323 Apache Committers changed 1,586,514 lines of code over 3,215 commits. Top 5 contributors, in order, are: Claus Ibsen, Jean-Louis Monteiro, Andrea Cosentino, Gary Gregory, and Eric Milles. 

Apache Project Announcements – the latest updates by category.

Application Servers/Middleware --
 - Apache Karaf Decanter 2.9.0 released

Content --
 - Apache Jackrabbit Oak 1.22.11 released
 - Apache JSPWiki CVE-2022-24947: CSRF Account Takeover
   -- CVE-2022-24948: Cross-site scripting vulnerability on User Preferences screen

FinTech --
 - Apache Fineract 1.6.0 released

Network Client --
 - Apache MINA 2.0.23, 2.1.6 released

Workflow --
 - Apache Airflow CVE-2022-24288: RCE in example DAGs


Did You Know?

 - Did you know that Apache Beam helps Palo Alto Networks meet streaming needs by providing a highly-performant, reliable, and resilient data processing framework for 10 million security events per second across 3 petabytes per day?

 - Did you know that the Australian Department of Transport's Vehicle Inspection System webapp is powered by Apache Wicket?

 - Did you know that Apache Ignite is a distributed cache, a distributed database, an in-memory database, and an in-memory data grid? 

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: January 2022 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Inside Infra: the new interview series with members of the ASF infrastructure team --meet 
    Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
    Drew Foulks https://s.apache.org/InsideInfra-Drew
    Greg Stein Part I https://s.apache.org/InsideInfra-Greg
      ...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
    Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
    Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
    Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
    Chris Lambertus Part I  https://s.apache.org/InsideInfra-ChrisL  and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday February 21, 2022

The Apache Weekly News Round-up: week ending 18 February 2022

We're wrapping up another great week with the following activities from the Apache community:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 March 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.99%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 350 Apache Committers changed 12,933,273 lines of code over 3,260 commits. Top 5 contributors, in order, are: Claus Ibsen, Udo Schnurpfeil, Andrea Cosentino, Mark Thomas, and Paul King.

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Accumulo 1.10.2 released

Content --
 - Apache Tika 1.28.1 released

Libraries --
 - Apache Commons JCS 3.1 released 

Messaging --
 - Apache ActiveMQ 5.16.4 released 


Did You Know?

 - Did you know that select Apache Projects and mentors are preparing for the upcoming GSoC 2022 (mentoring organizations will be announced on 7 March)? Those interested in participating can learn how to get involved at https://community.apache.org/gsoc.html

 - Did you know that the next CloudStack European User Group will be held online on 7 April? 

 - Did you know that the CFP for Ignite Summit (taking place online on 14 June) closes on 29 April? 

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: January 2022 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Inside Infra: the new interview series with members of the ASF infrastructure team --meet 
    Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
    Drew Foulks https://s.apache.org/InsideInfra-Drew
    Greg Stein Part I https://s.apache.org/InsideInfra-Greg
      ...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
    Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
    Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
    Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
    Chris Lambertus Part I  https://s.apache.org/InsideInfra-ChrisL  and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday February 14, 2022

The Apache Weekly News Round-up: week ending 11 February 2022

Hello, everyone --let's review the Apache community's activities from over the past week:

Apache Software Foundation Statement at 8 February 2022 Senate Committee hearing on Homeland Security and Government Affairs https://s.apache.org/485lz

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 308 Apache Committers changed 5,335,315 lines of code over 2,989 commits. Top 5 contributors, in order, are: Gary Gregory, Emmanuel Lecharny, Mark Thomas, Liang Zhang, and Tilmann Zäschke. 

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache APISIX 2.10.2 released
   -- CVE-2022-24112: apisix/batch-requests plugin allows overwriting the X-REAL-IP header 

Big Data --
 - Apache Beam 2.36.0 released

Content --
 - Apache Traffic Control 6.1.0 released
   -- CVE-2022-23206: Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth
 - Apache Tika 2.3.0 released
   -- Apache Tika 1.x End-Of-Life (EOL) announcement https://s.apache.org/lkqid
 - Apache Jackrabbit 2.21.10 released

Database --
 - Apache JDO 3.2 released
 - Apache Cassandra CVE-2021-44521: Remote code execution for scripted UDFs

Mail --
 - Apache James 3.6.2 released
   -- CVE-2022-22931: Path traversal in Apache James  

Web Frameworks --
 - Apache Wicket 9.8.0 released 


Did You Know?

 - Did you know that you can scale Apache SkyWalking in Kubernetes natively? https://skywalking.apache.org/blog/2022-01-24-scaling-with-apache-skywalking/

 - Did you know that the next Apache Ignite Community Gathering MeetUp will take place online on 16 February? 

 - Did you know that the ASF's seven-member Infrastructure team performs 7M+ weekly checks to ensure services are available around the clock to all Apache Projects and their communities? Average uptime in January 2022 was 100%!

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: January 2022 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Inside Infra: the new interview series with members of the ASF infrastructure team --meet 
    Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
    Drew Foulks https://s.apache.org/InsideInfra-Drew
    Greg Stein Part I https://s.apache.org/InsideInfra-Greg
      ...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
    Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
    Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
    Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
    Chris Lambertus Part I  https://s.apache.org/InsideInfra-ChrisL  and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Tuesday February 08, 2022

Foundation Statement at 8 February 2022 Senate Committee hearing on Homeland Security and Government Affairs

“Responding to and Learning from the Log4Shell Vulnerability”

Opening Statement by David Nalley

President, Apache Software Foundation

Senate Committee on Homeland Security and Government Affairs

February 8, 2022


    Chairman Peters, Ranking Member Portman, and distinguished members of the Committee: thank you for the invitation to appear this morning.

    My name is David Nalley, and I am the President of the Apache Software Foundation (ASF). The ASF is a non-profit public-benefit charity established in 1999 to facilitate the development of open source software. Thanks to the ingenuity and collaboration of our community of programmers, the ASF has grown into one of the largest open source organizations in the world. Today, more than 650,000 contributors around the world contribute to more than 350 ongoing projects, comprising more than 237 million lines of code.

    Open source is not simply a large component of the software industry -- it is one of the foundations of the modern global economy. Whether they realize it or not, most businesses, individuals, non-profits, or government agencies depend on open source; it is an indispensable part of America’s digital infrastructure.

    Projects developed from open source, like Log4j, tend to resolve problems that many people have, essentially serving as reusable building blocks for solving those problems. This enables faster innovation because it eliminates the need for every company or developer to reimplement software for already solved problems. This efficiency allows programmers to stand on the shoulders of giants. The ASF provides a vendor-neutral environment to enable interested programmers – oftentimes direct competitors of one another – to do this common work together in transparent, open-handed cooperation.

This is the essence of open-source software: brilliant individuals contributing their time and expertise to do unglamorous work solving problems – many with the intent of incorporating the results into their employer’s products. And it’s why I’ve dedicated my professional life to it.

    Log4j – first released by Apache in 2001 – is the product of just this kind of collaboration. It performs a particular set of functions, like recording a computer’s operating events, so well that it has been used in products as diverse as storage management software, software development tools, virtualization software and (most famously) the Minecraft video game. As Log4j’s footprint grew over the years, so did its feature list. It was a 2013 addition to Log4j, along with a part of the Java programming environment, that combined in such a way that exposed this security flaw.

    The vulnerability was reported to Apache’s Log4j team late November 2021, after having been latent for many years. The Apache Logging project, and Apache’s Security team immediately got to work addressing the vulnerability in the code. The full solution was released approximately two weeks later. Given the near ubiquity of Log4j’s use, it may be months or even years before all deployed instances of this vulnerability are eliminated. As a software professional myself, I am proud of how the Logging project and the ASF’s security team (and many others across the ASF’s projects) responded and remediated last fall. We acted quickly and in accordance with practices we have adopted over many years of supporting a diverse set of open source projects. We will continue to develop our projects in responding to and preventing security vulnerabilities.

    Moreover, every stakeholder in the software industry – including its largest customers, like the federal government – should be investing in software supply chain security. While ideas like the Software Bills of Materials won’t prevent vulnerabilities, they can mitigate the impact by accelerating the identification of potentially vulnerable software. However, the ability to quickly update to the most secure and up-to-date versions remains a significant hurdle for the software industry.

    The reality is that humans write software, and as a result there will continue to be bugs, and despite best efforts some of those will include security vulnerabilities. As we continue to become ever more connected and digital, the number of vulnerabilities and potential consequences are likely to grow. There is no easy software security solution - it requires defense in depth – incorporating upstream development in open source projects, vendors that incorporate these projects, developers that make use of the software in custom applications, and even down to the organizations that deploy these applications to provide services important to their users.

    Rather than shying away from this risk, I submit that software developers, open-source communities, and federal policymakers should face it head-on together – with the determination and the vigilance it demands.

    Thank you again, and I look forward to answering any questions you might have.

Monday February 07, 2022

The Apache Weekly News Round-up: week ending 4 February 2022

Welcome, February --we're opening the month with another great week. Here's what the Apache community has been up to:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.89%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 303 Apache Committers changed 9,625,849 lines of code over 3,255 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Claus Ibsen, Sebastian Bazley, Guillaume Nodet, and Eric Milles.

Apache Project Announcements – the latest updates by category.

Apache Attic -- provides process and solutions when an Apache project has reached its end of life.
 - Apache Ambari is retired
 - Apache Usergrid is retired 

APIs --
 - Apache APISIX 2.12.0 released

Big Data --
 - Apache Kyuubi (incubating) 1.4.1-incubating released
 - Apache Hudi 0.10.1 released
 - Apache Gobblin CVE-2021-36151: Local Credentials Disclosure Vulnerability 

Business Intelligence --
 - Apache Superset CVE-2021-44451: API sensitive information leak 

Content --
 - Apache Jackrabbit Oak 1.8.26 released

Integration --
 - Apache Camel 3.15.0 released

Messaging --
 - Apache Pulsar CVE-2021-41571: Pulsar Admin API allows access to data from other tenants using getMessageById API 

Middleware --
 - Apache Linkis (incubating) released 

Programming Languages --
 - Apache Groovy 4.0.0 released 

Servers --
 - Apache HttpComponents Client 5.1.3 GA released
 - Apache HTTP mod_perl 2.0.12 released

Web Frameworks --
 - Apache Wicket 8.14.0 released 


Did You Know?

 - Did you know that the following Apache Projects are celebrating anniversaries this month? Congratulations to Apache HTTP Server (27 years!); Gump and Portals (18 years); Directory, MyFaces, and Xerces (17 years); Tapestry (16 years); Roller (15 years); Cassandra and Subversion (12 years); Chemistry (11 years); BVal and OpenNLP (10 years); Clerezza (9 years); Knox and Spark (8 years); DataFu (4 years); Unomi (3 years); Daffodil, Ratis, and Solr (2 years)! https://projects.apache.org/committees.html?date

 - Did you know that the ASF is joining the Open Geospatial Consortium and Open Source Geospatial Foundation to hold the 2022 Joint OGC-OSGeo-ASF Code Sprint, taking place 8-10 March? Those interested in helping advance OGC Standards through numerous Apache and OSGeo projects are invited to learn more and sign up at https://portal.ogc.org/public_ogc/register/220225asf_codesprint.php 

 - Did you know that the CFP for Airflow Summit (taking place online 23-27 May) is now open?

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: January 2022 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Inside Infra: the new interview series with members of the ASF infrastructure team --meet 
    Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
    Drew Foulks https://s.apache.org/InsideInfra-Drew
    Greg Stein Part I https://s.apache.org/InsideInfra-Greg
      ...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
    Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
    Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
    Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
    Chris Lambertus Part I  https://s.apache.org/InsideInfra-ChrisL  and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Tuesday February 01, 2022

Apache Month in Review: January 2022

Welcome to the latest monthly overview of events from the Apache community. Here's a summary of what happened in January  [video highlights available] :

New This Month --

- Apache in 2021 - By The Digits – a look at the achievements from the Apache Community over the past 12 months
   -- Summary and stats at https://s.apache.org/Apache2021Digits
   -- Video highlights https://youtu.be/GU0SV_2tWkU

- Apache Software Foundation statement on White House Open Source Security Summit 

- Apache Month in Review: December 2021

- ASF Security Report 2021 – the annual state of security across all Apache projects

- The Apache Software Foundation Announces Open Source data orchestration platform Apache® Hop™ as a Top-Level Project


Important Dates --

- Next Board Meeting: 16 February 2022. Board calendar and minutes


Infrastructure --

Our seven-member Infrastructure team on three continents oversees our highly-reliable, distributed network under the leadership of VP Infrastructure David Nalley and Infrastructure Administrator Greg Stein. ASF Infrastructure supports 300+ Apache projects and their communities across ~200 individual machines, 1,400+ repositories, 5-6PB in traffic annually, ~75M downloads per month, and 2-3M daily emails on 2,000+ lists. ASF Infra performs 7M+ weekly checks to ensure services are available around the clock. The average uptime in January was 100%.

Committer Activity --

In January, 672 Apache Committers changed 14,033,278 lines of code over 15,480 commits. The Committers with the top 5 highest contributions, in order, were: Gary Gregory, Claus Ibsen, Mark Thomas, Jarek Potiuk, and Sebastian Bazley.


Project Releases and Updates --

New releases from Apache Airflow (Workflow); APISIX (API); Avro (Big Data); Camel (Integration); DolphinScheduler (Workflow); Flink (Big Data); Geode (Database); Guacamole (Network Client); Hop (Orchestration); Ignite (Big Data); Jackrabbit (Content); James (Mail); Kafka (Big Data); Karaf (Application Servers/Middleware); Knox (Big Data); Log4j (Libraries); MINA (Network Client/Server); NiFi (Big Data); OFBiz (Enterprise Processes Automation / ERP); POI (Content); Portals (Web Frameworks); ShardingSphere (Big Data); ShenYu (Incubating; API); Skywalking (Application Performance Management); Struts (Web Frameworks); Tomcat (Servers); Tuweni (Incubating; Blockchain); and TVM (Machine Learning).


Apache Project Anniversaries in January: Apache Cocoon, James, and Web Services (18 years); Lucene (16 years); ActiveMQ (14 years); Hadoop (13 years); River (10 years); Empire-db and Gora (9 years); OpenMeetings (8 years); Samza (6 years); Arrow (5 years); Ranger (2 years); and Gobblin (1 year). Many happy returns!

The Apache Incubator is the primary entry path for projects wishing to become an official part of the ASF. More than three dozen projects are currently undergoing development in the Apache Incubator.

# # #

To see our Weekly News Round-ups (published every Friday), visit https://blogs.apache.org/foundation/ and click on the calendar or hop directly to https://blogs.apache.org/foundation/category/Newsletter . For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. We appreciate your support!


Monday January 31, 2022

The Apache Weekly News Round-up: week ending 28 January 2022

Farewell, January --we're wrapping up the month with another great week. Here are the latest updates on the Apache community's activities:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 337 Apache Committers changed 1,533,287 lines of code over 3,738 commits. Top 5 contributors, in order, are: Jarek Potiuk, Sebastian Bazley, Claus Ibsen, Harikrishna Patnala, and Mark Thomas.

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache ShenYu (Incubating) 2.4.2 released
   -- CVE-2022-23944: Improper access control
   -- CVE-2022-23945: Missing authentication allows gateway registration 

Application Servers/Middleware --
 - Apache Karaf runtime 4.3.6 released
   -- CVE-2021-41766: Insecure Java Deserialization
   -- CVE-2022-22932: Path traversal flaws 

Blockchain --
 - Apache Tuweni (Incubating) 2.1.0 released

Cloud Computing --
 - Apache Kafka 3.1.0  released 

Content --
 - Apache Jackrabbit Oak 1.22.10 released

Databases --
 - Apache Geode 1.14.3 released 

Integration --
 - Apache Camel 3.14.1 (LTS) released 

Orchestration --
 - Apache Hop 1.1.0 released 

Servers --
 - Apache Tomcat CVE-2022-23181: Local Privilege Escalation 

Web Frameworks --
 - Apache Struts 2.5.29 released 


Did You Know?

 - Did you know that the ASF published a statement following the 13 January meeting at the White House on the security of Open Source software? https://s.apache.org/jri14

 - Did you know that members of the Apache Arrow, Flink, Kafka, Mahout, Maven, OpenOffice, ShardingSphere, Spark, and other project communities will be presenting at FOSDEM (taking place online 5-6 February)? 

 - Did you know that the CFP for Beam Summit (hybrid event taking place 18-20 July) closes on 15 March?

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: December 2021 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Inside Infra: the new interview series with members of the ASF infrastructure team --meet 
    Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
    Drew Foulks https://s.apache.org/InsideInfra-Drew
    Greg Stein Part I https://s.apache.org/InsideInfra-Greg
      ...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
    Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
    Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
    Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
    Chris Lambertus Part I  https://s.apache.org/InsideInfra-ChrisL  and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday January 24, 2022

The Apache Weekly News Round-up: week ending 21 January 2022

We're wrapping up another great week with the following activities from the Apache community:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 339 Apache Committers changed 2,470,884 lines of code over 3,505 commits. Top 5 contributors, in order, are: Gary Gregory, Claus Ibsen, Adam Kocoloski, Mark Thomas, and Tian Jiang. 

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache APISIX Java Plugin Runner 0.2.0 released

Application Servers/Middleware --
 - Apache Karaf runtime 4.2.15 and 4.3.6 released

Big Data --
 - Apache NiFi 1.15.3 released
 - Apache Flink 1.14.3 released
 - Apache ShardingSphere ElasticJob UI 3.0.1 released
 - Apache Knox 1.6.1 released
   -- CVE-2021-42357: DOM based XSS Vulnerability 

Content --
 - Apache POI 5.2.0 released 

Databases --
 - Apache Geode 1.12.8, 1.13.7 and Kafka Connector 1.1.0 released

Data Management Platform --
 - Apache Ignite 2.12.0 released 

Enterprise Processes Automation / ERP --
 - Apache OFBiz 17.12 End-Of-Life (EOL) announcement https://s.apache.org/hm5oe

Libraries --
 - Apache Log4j CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x
   -- CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1 
   -- CVE-2022-23307: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution 

Orchestration --
 - The Apache Software Foundation Announces Open Source data orchestration platform Apache® Hop™ as a Top-Level Project https://s.apache.org/4s3ci

Observability --
 - Apache SkyWalking Could on Kubernetes 0.6.1 released

Servers --
 - Apache Tomcat 8.5.75, 9.0.58, 10.0.16, and 10.1.0-M10 (alpha) released 

Workflow --
 - Apache Airflow CVE-2021-45230: Creating DagRuns didn't respect Dag-level permissions in the Webserver 


Did You Know?

 - Did you know that the following Apache projects are celebrating anniversaries this month? Congratulations to Apache Cocoon, James, and Web Services (19 years); Lucene (17 years); ActiveMQ (15 years); Hadoop (14 years); River (11 years); Empire-db and Gora (10 years); OpenMeetings (9 years); Samza (7 years); Arrow (6 years); Ranger (5 years); and Gobblin (1 year) https://projects.apache.org/committees.html?date

 - Did you know that Netflix and Target are building modern analytics applications to deliver interactive data experiences using Apache Druid

 - Did you know that Disney+Hotstar's streaming data lakes injest 1 million events per second using Apache Kafka, store 14tb of data per day in an Apache HBase warehouse, and stream using Apache Hudi? https://projects.apache.org/projects.html?category

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: December 2021 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Inside Infra: the new interview series with members of the ASF infrastructure team --meet 
    Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
    Drew Foulks https://s.apache.org/InsideInfra-Drew
    Greg Stein Part I https://s.apache.org/InsideInfra-Greg
      ...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
    Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
    Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
    Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
    Chris Lambertus Part I  https://s.apache.org/InsideInfra-ChrisL  and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Tuesday January 18, 2022

The Apache Software Foundation Announces Open Source data orchestration platform Apache® Hop™ as a Top-Level Project

Wilmington, DE —18 January 2022— The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today Apache® Hop™ as a Top-Level Project (TLP).

Apache Hop —the Hop Orchestration Platform— is a flexible, metadata-infused data orchestration, engineering, and integration platform. The project originated more than two decades ago as the Extract-Transform-Load (ETL) platform Kettle (Pentaho Data Integration), was refactored over several years, and entered the Apache Incubator in September 2020. 

"We are pleased to successfully adopt 'the Apache Way' and graduate from the Apache Incubator," said Bart Maertens, Vice President of Apache Hop. "Apache Hop enables people of all skill levels to build powerful and scalable data solutions without the need to write code. As an Apache Top-Level Project, Hop is developed and used by people across the globe. Hop's full project life cycle support helps these data teams to successfully build, test and run their projects in ways that would otherwise be hard or impossible to do."

Using Apache Hop, data professionals can rapidly and affordably facilitate all aspects of data and metadata orchestration whilst supporting DevOps best practices, such as testing. Apache Hop’s Java-based visual designer, server, and configuration tools are easy to set up, deploy, and maintain across numerous platforms. Features include:

  • Lightweight “design once, run anywhere” architecture —workflows and pipelines can be designed in the Hop GUI and executed locally or remotely on the Hop native engine, on Apache Flink, Apache Kafka, Apache Spark, Google Dataflow, or AWS EMR through Apache Beam runtimes;

  • Metadata-driven —every object type in Hop describes how data is read, manipulated or written, or how workflows and pipelines need to be orchestrated. In addition, Hop itself is internally metadata-driven, using a kernel architecture with a robust engine; 

  • Visual development environment —intuitive drag-and-drop graphical user interface (GUI) enables developers to enjoy the ease and productivity of visual development rather than code. Using Hop, data engineers can focus on business logic and requirements rather than how it needs to be done;

  • Plug-in integration —more than 250 plugins make it easy to manage ecosystem complexity, and add new functionality; and

  • Built-in lifecycle management —enables developers, engineers, and administrators to manage, test, deploy, and switch between projects, workflows, pipelines, environments, purposes, Git versions and more —all from the Hop GUI.


Apache Hop has been designed to work in any scenario: on-premises, on a cloud, on a bare OS, in containers, IoT environments, large datasets, and more, on Windows, Linux, and OSX.

Many of the thousands of organizations in finance, retail, supply chain, and other sectors that use Kettle (Pentaho Data Integration; the precursor to Apache Hop) have started to look into Hop or already are in the process of upgrading to Hop.

"I'm very happy that we can now safely collaborate with any company or person across the global community under the umbrella of the Apache Software Foundation on something as cool as Apache Hop," said Matt Casters, Chief Solution Architect at Neo4j and member of the Apache Hop Project Management Committee.

"We started adopting Apache Hop in our data integration projects in early 2021 because of its flexibility, scalability and ease of use, in various scenarios ranging from classical DWH ETL processes to highly critical, real time processes," said Sergio Ramazzina, CEO and Chief Architect at Serasoft S.r.l., and member of the Apache Hop Project Management Committee. "We are impressed by how responsive the community is in solving issues and helping users approaching the platform --an important point to increase users adoption and trust. We welcome everyone joining our Hop community and contributing to the project."

"This graduation is just the beginning for Hop, and is proof that great communities build great software. The entire Hop community would like to thank the Apache Software Foundation for making this possible, especially our mentors who guided us through the Incubator," added Maertens. "We invite everyone to download and try Hop, join our chat and become part of the Hop community."

Catch Apache Hop in action at a future Hop community event. For more information and to register, visit https://hop.apache.org/community/events/ 

Availability and Oversight
Apache Hop software is released under the Apache License v2.0 and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases. For downloads, documentation, and ways to become involved with Apache Hop, visit https://hop.apache.org/ and https://twitter.com/ApacheHop 

About the Apache Incubator
The Apache Incubator is the primary entry path for projects and codebases wishing to become part of the efforts at The Apache Software Foundation. All code donations from external organizations and existing external projects enter the ASF through the Incubator to: 1) ensure all donations are in accordance with the ASF legal standards; and 2) develop new communities that adhere to our guiding principles. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF. For more information, visit http://incubator.apache.org/ 

About The Apache Software Foundation (ASF)
Established in 1999, The Apache Software Foundation is the world’s largest Open Source foundation, stewarding 227M+ lines of code and providing more than $22B+ worth of software to the public at 100% no cost. The ASF’s all-volunteer community grew from 21 original founders overseeing the Apache HTTP Server to 820+ individual Members and 200 Project Management Committees who successfully lead 350+ Apache projects and initiatives in collaboration with 8,400+ Committers through the ASF’s meritocratic process known as "The Apache Way". Apache software is integral to nearly every end user computing device, from laptops to tablets to mobile devices across enterprises and mission-critical applications. Apache projects power most of the Internet, manage exabytes of data, execute teraflops of operations, and store billions of objects in virtually every industry. The commercially-friendly and permissive Apache License v2 is an Open Source industry standard, helping launch billion dollar corporations and benefiting countless users worldwide. The ASF is a US 501(c)(3) not-for-profit charitable organization funded by individual donations and corporate sponsors that include Aetna, Alibaba Cloud Computing, Amazon Web Services, Anonymous, Baidu, Bloomberg, Capital One, Cloudera, Comcast, Confluent, Didi Chuxing, Facebook, Google, Huawei, IBM, Indeed, Microsoft, Namebase, Pineapple Fund, Red Hat, Replicated, Talend, Target, Tencent, Union Investment, Workday, and Yahoo!. For more information, visit http://apache.org/ and https://twitter.com/TheASF 

© The Apache Software Foundation. "Apache", "Hop", "Apache Hop", and "ApacheCon" are registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. All other brands and trademarks are the property of their respective owners.

# # #

Monday January 17, 2022

The Apache Weekly News Round-up: week ending 14 January 2022

Happy Friday! Let's take a look at what the Apache community has been up to over the past week:

ASF Security Report 2021 – the state of security across all Apache projects with key metrics, specific vulnerabilities, and the most common ways users of ASF projects were affected by security issues https://s.apache.org/SecurityReport2021

Apache Software Foundation statement on White House Open Source Security Summit https://s.apache.org/jri14

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 19 January 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 322 Apache Committers changed 1,963,025 lines of code over 3,852 commits. Top 5 contributors, in order, are: Gary Gregory, Antoine Toulme, Claus Ibsen, Mark Thomas, and Dan Klco. 

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Flink ML 2.0.0 released

Content --
 - Apache Jackrabbit 2.16.9 released

Machine Learning --
 - Apache TVM 0.8.0 released

Network Client --
 - Apache Guacamole 1.4.0 released
   -- CVE-2021-41767: Private tunnel identifier may be included in the non-private details of active connections 
   -- CVE-2021-43999: Improper validation of SAML responses 

Observability --
 - Apache SkyWalking Kong version 0.2.0 released

Workflow --
 - Apache DolphinScheduler 2.0.2 released
 - Apache Airflow Helm Chart 1.4.0 released


Did You Know?

 - Did you know that more than 630,000 individuals have contributed to Apache projects and initiatives since the ASF's incorporation in 1999? https://blogs.apache.org/foundation/entry/apache-in-2021-by-the 

 - Did you know that Apache DolphinScheduler won a "2021 OSC Most Popular Projects" award from OSCHINA?

 - Did you know that video recordings from the 2021 TVMCon (Apache TVM and Open Source ML acceleration conference) are now available online?

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: December 2021 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Inside Infra: the new interview series with members of the ASF infrastructure team --meet 
    Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
    Drew Foulks https://s.apache.org/InsideInfra-Drew
    Greg Stein Part I https://s.apache.org/InsideInfra-Greg
      ...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
    Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
    Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
    Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
    Chris Lambertus Part I  https://s.apache.org/InsideInfra-ChrisL  and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Thursday January 13, 2022

Apache Software Foundation statement on White House Open Source Security Summit

The Apache Software Foundation (ASF) participated today in a meeting hosted by the White House to discuss security of open source software, and how to improve the "supply chain" of open source software to better facilitate the rapid adoption of security fixes when necessary.


The virtual summit included representation from a number of companies and U.S. departments and agencies. Three representatives of the ASF participated in the virtual summit, ASF President David Nalley, VP of Security Mark Cox, and ASF board member Sam Ruby.

Securing open source and its supply chain


The ASF produces software for the public good. We are committed to working with the larger community, including industry and government consumers of open source software, to find ways to improve security while adhering to The Apache Way.


This means that we believe the path forward will require upstream collaboration by the companies and organizations that consume and ship open source software. There's no single "silver bullet" to get there, and it will take all of our organizations working together to improve the open source supply chain.


Since its inception more than 20 years ago, the ASF has evolved and adapted to meet the changing needs of its mission: to provide software in the public good, by providing support and services of its project communities. To do this, we've refined our governance models, our infrastructure, recommended best practices, and more over the years. 


We expect to continue to evolve and improve over the next 20 years, and helping to improve the security of the open source supply chain is part of that. We are committed to doing the work through our communities to help make that a reality.

Communities thrive on conversation

Those who are familiar with the ASF know that we value community and having a level playing field for contributors. We believe today’s conversation is a good beginning that can help catalyze and direct a wider response to addressing today’s security needs for open source software. 


Many of the organizations represented today are important contributors and consumers of open source, but of course are not all of the important contributors or consumers. We know that it’s important to hear from individual contributors as well as corporations, foundations and government entities. For our part, we’ll strive to make sure that happens.


As always, we welcome participation and contributions in our communities from those who wish to show up and be part of the projects that are part of the ASF. We appreciate the opportunity to participate in today’s conversation, and look forward to participating in the follow on conversations that this effort inspired.

Monday January 10, 2022

Apache Software Foundation Security Report: 2021

Synopsis: This report explores the state of security across all of The Apache Software Foundation projects for the calendar year 2021. We review key metrics, specific vulnerabilities, and the most common ways users of ASF projects were affected by security issues.


Released: January 2022


Author: Mark Cox, Vice President Security, The Apache Software Foundation

Background

The security committee of The Apache Software Foundation (ASF) oversees and coordinates the handling of vulnerabilities across all of the 350+ Apache projects.  Established in 2002 and composed of all volunteers, we have a consistent process for how issues are handled, and this process includes how our projects must disclose security issues.


Anyone finding security issues in any Apache project can report them to security@apache.org where they are recorded and passed on to the relevant dedicated security teams or private project management committees (PMC) to handle.  The security committee monitors all the issues reported across all the projects and keeps track of the issues throughout the vulnerability lifecycle.  


The security committee is responsible for ensuring that issues are dealt with properly and actively reminds projects of their outstanding issues and responsibilities.  As a board committee, we have the ability to take action including blocking their future releases or, worst case, archiving a project if such projects are unresponsive to handling their security issues.  This, along with the Apache License v2,0, are key parts of the ASF’s general oversight function around official releases, allowing the ASF to protect individual developers and giving users confidence to deploy and rely on ASF software.  


The oversight into all security reports, along with tools we have developed, gives us the ability to easily create metrics on the issues.  Our last report covered the metrics for 2020.

Statistics for 2021

In 2021 our security email addresses received in total ~18,500 emails. After spam filtering and thread grouping there were 1272 (2020: 946, 2019: 620) non-spam threads.  Unfortunately security reports do sometimes look like spam, especially if they include lots of attachments or large videos, and so the security team are careful to review all messages to ensure real reports are not missed for too long.


Diagram 1: Breakdown of ASF security email threads for calendar year 2021


Diagram 1 gives the breakdown of those 1272 threads.  359 threads (28%) were people confused by the Apache License.  As many projects use the Apache License, not just those under the ASF umbrella, people can get confused when they see the Apache License and they don't understand what it is. This is most common for example on mobile phones where the licenses are displayed in the settings menu, usually due to the inclusion of software by Google released under the Apache License.  We no longer reply to these emails. This is up from the 257 received in 2020.


The next 337 of the 1272 (26%) are email threads with people asking non-security (usually support-type) questions.


The next 135 of those reports were researchers reporting issues in an Apache web site.  These are almost always false positives; where a researcher reports us having directory listings enabled, source code visible, public “.git” directories, and so on.  These reports are generally the unfiltered output of some publicly available scanning tool, and often where the reporter asks us for some sort of monetary reward (bounty) for their report.


That left 441 (2020: 376, 2019: 320) reports of new vulnerabilities in 2021, which spanned 99 of the top level projects.  These 441 reports are a mix of external reporters and internal. For example, where a project has found an issue themselves and followed the ASF process to assign it a CVE (Common Vulnerabilities and Exposures) name and address it, we’d still count it here.  We don’t keep metrics that would give the breakdown of internal vs external reports.


The next step is that the appropriate project triages the report to see if it's really an issue or not.  Invalid reports and reports of things that are not actually vulnerabilities get rejected back to the reporter.  Of the remaining issues that are accepted they are assigned appropriate CVE names and eventually fixes are released.


As of January 1st 2022, 50 of those 441 reports were still under triage and investigation. This is where a project was working on an issue and had not rejected the issue or assigned it a CVE as of the snapshot taken on January 1st 2022.  This number was higher than what we’d normally expect and was due to the large influx of reports that came at the end of December 2021.


The remaining 391 (2020: 341, 2019: 301) reports led to us assigning 183 (2020: 151, 2019: 122) CVE names.  Some vulnerability reports may include multiple issues, some reports are across multiple projects, and some reports are duplicates where the same issue is found by different reporters, so there isn't an exact one-to-one mapping of accepted reports to CVE names.  The Apache Security committee handles CVE name allocation and is a MITRE Candidate Naming Authority (CNA), so all requests for CVE names in any ASF project are routed through us, even if the reporter is unaware and contacts MITRE directly or goes public with an issue before contacting us.

Noteworthy events

During 2021 there were a few events worth discussing; either because they were severe and high risk, they had readily available exploits, or there was media attention. These included:

  • January: A cross-site scripting (XSS) flaw was found in the default error page of Apache Velocity (CVE-2020-13959) which affected a number of public visible websites. Despite a fix being available it then took several months to produce a new release to include the fix, causing the reporter to publicise it early. As a consequence, the security team did a deeper dive through all the outstanding open issues with the affected PMCs to ensure they were all being handled.

  • January: A report was published which showed how malware is still exploiting Apache ActiveMQ instances that have not been patched for over 5 years (CVE-2016-3088)

  • June: The Airflow PMC published a blog about how they handle security issues, how users are sometimes slow to deploy updates (CVE-2020-17526), and how flaws in dependencies can affect Airflow.

  • July: A third-party blog explained how threat actors are exploiting mis-configured Apache Hadoop YARN services

  • August: A researcher discovered a number of issues in HTTP/2 implementations.  The Apache HTTP Server was affected by a moderate vulnerability (CVE-2021-33193)

  • September: A keynote presentation at ApacheCon 2021 discussed the security committee, the US Executive Order on Improving the Nation’s Cybersecurity, and third party security projects such as those under the OpenSSF.

  • September: A flaw in Apache OpenOffice could allow a malicious document to run arbitrary code if opened (CVE-2021-33035)

  • October: A critical issue was found in the Apache HTTP Server. The default configuration protected against this vulnerability, but in custom configurations without those protections, and with CGI support enabled, this could lead to remote code execution (CVE-2021-41773). The issue was fixed in an update 5 days after the issue was reported to the security team, however the fix was quickly found to be insufficient and a further update to fully address it was released 3 days after that (CVE-2021-42013). A MetaSploit exploit exists for this issue.

  • October: The Internet Bug Bounty from HackerOne extended their program to include Apache Airflow, the Apache HTTP Server, and Apache Commons.  Unlike many other programs, this program relies on vulnerability finders following the standard ASF notification process, and allows finders to claim a reward for eligible issues after the fix is available and the issue is public.

  • December: A vulnerability in Log4J 2 (CVE-2021-44228, “Log4Shell”), a popular and common Java logging library, allowed remote attackers to achieve remote code execution in a default and likely installation.  The issue was widely exploited, starting the day before a release with a fix was published.  There is a MetaSploit exploit module for this issue. After the fixed release a few subsequent Log4J vulnerabilities were also fixed, but none had the same impact or default conditions.  

  • December: The ASF is invited to a forum in 2022 around open source security. White House Extends Invitation to Improve Open-Source Security.  We produced a position paper in advance of the meeting.

Timescales

Our security teams and project management teams are all volunteers and so we do not give any formal SLA on the handling of issues.  However we can break down our aims and goals for each part of the process:


Triage: Our aim is to handle incoming mails to the security@apache.org alias within three working days.  We do not measure or report on this because we assess the severity of each incoming issue and apply the limited resources we have appropriately.  The alias is staffed by a very small number of volunteers taken from the different project PMCs.  After the security team forwards a report to a PMC, the PMC will reply to the reporter.  Sometimes reporters send reports attaching large PDF files or even movies of exploitation that don’t make it to us due to size restrictions on incoming email, so please ensure any follow ups are a simple plain text email.


Investigation: Once a report is sent to the private list of the projects management committee, the process of triage and investigation varies in time depending on the project, availability of resources, and number of issues to be assessed.  As security issues are dealt with in private, we send reports to a private list made up only of the PMC. Therefore these reports do not reach every project committer, so there is a smaller set of people in each project able to investigate and respond.  As a general guideline we try to ensure projects have triaged issues within 90 days of the report.  The ASF security team follow-up on any untriaged issues over 90 days old.


Fix: Once a security issue is triaged and accepted, the timeline for the fixing of issues depends on the schedules of the projects themselves.  Issues of lower severity are most often held to pre-planned releases.  


Announcement: Our process allows projects up to a few days between a fix release being pushed and the announcement of the vulnerability.  All vulnerabilities and mitigating software releases are announced via the announce@apache.org list.  We now aim to have them appear in the public CVE project list within a day of that announcement, and even quicker for critical issues.

Conclusion

The Apache Software Foundation projects are highly diverse and independent.  They have different languages, communities, management, and security models.  However one of the things every project has in common is a consistent process for how reported security issues are handled. 


The ASF Security Committee works closely with the project teams, communities, and reporters to ensure that issues get handled quickly and correctly.  This responsible oversight is a principle of The Apache Way and helps ensure Apache software is stable and can be trusted.


This report gave metrics for calendar year 2021 showing from the 18,500 emails received we triaged over 390 vulnerability reports relating to ASF projects, leading to fixing 183 (CVE) issues.  The number of non-spam threads dealt with was up 34% from 2020 with the number of actual vulnerability reports up 17% and assigned CVE up 21%.


While the ASF often gets updates for critical issues out quickly, reports show that users are being exploited by old issues in ASF software that have failed to be updated for years, and vendors (and, thus, their users) still make use of end of life versions which have known unfixed vulnerabilities. This will continue to be a big problem and we are committed to engaging on this industry-wide problem to figure out what we can do to help.


If you have vulnerability information you would like to share please contact us or for comments on this report see the public security-discuss mailing list.

Calendar

Search

Hot Blogs (today's hits)

Tag Cloud

Categories

Feeds

Links

Navigation