The Apache Weekly News Round-up: week ending 24 December 2021

Happy Friday, everyone. The Apache community has had another great week. Let's review what we've been up to:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 19 January 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.99%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 317 Apache Committers changed 9,133,089 lines of code over 3,258 commits. Top 5 contributors, in order, are: Gary Gregory, Harikrishna Patnala, Claus Ibsen, Duo Zhang, and Andi Huber.

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache NiFi 1.15.2 released
 - Apache HBase 3.0.0-alpha-2 released
 - Apache Parquet 1.11.2 and 1.12.2 released
   -- CVE-2021-41561: Potential DoS in case of malicious Parquet file

Build Management --
 - Apache Archiva 2.2.7 released

Content --
 - Apache JSPWiki 2.11.1 released
 - Apache Traffic Control 6.0.2 released
 - Apache Jackrabbit FileVault 3.5.8  released
 - Apache Tika 1.28 and 2.2.1 released

Databases --
 - Apache Geode 1.12.7, 1.13.6, and 1.14.2 released 

Data Management Platform --
 - Apache Ignite 2.11.1 released

IoT --
 - Apache PLC4X 0.9.1 released
   -- CVE-2021-43083: Buffer overflow in PLC4C via crafted server response 

Enterprise Processes Automation / ERP --
 - Apache OFBiz 18.12.04 released 

Libraries --
 - Apache Log4j 2.3.1, 2.12.3, and 2.17.0 released
   -- CVE-2021-45105: Log4j2 does not always protect from infinite recursion in lookup evaluation
 - Apache MXNet (Incubating) 1.9.0 released
 - Apache Daffodil 3.2.1 released

Mail --
  - Apache James 3.6.1 released 

Messaging -- 
 - Apache Qpid JMS 0.60.1, 0.61.0, 1.4.1, and 1.5.0 released
 - Apache Pulsar 2.9.1 released 

Search --
 - Apache Lucene 8.11.1 released
 - Apache Solr 8.11.1 released
   -- CVE-2021-44548: Apache Solr information disclosure vulnerability through DataImportHandler 

Servers --
 - Apache HTTP Server 2.4.52 released
   -- CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua
   -- CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations
 - Apache HttpComponents Core 5.1.3 GA released

Web Frameworks--
- Apache Struts 2.5.28.1 and 2.5.28.2 released 

Workflow --
 - Apache DolphinScheduler 2.0.1 released
 - Apache Airflow 2.2.3 released

Did You Know?

 - Did you know that ASF Security posted the status of more than three dozen Apache Projects in relation to the recent Apache Log4j vulnerability? https://blogs.apache.org/security/entry/cve-2021-44228 (please check individual projects not included in this list for updates)

 - Did you know that Apache Roller (which powers blogs.apache.org) new v6.1.0 contains upgrades for more than a dozen dependencies (including Log4j), along with many bug fixes and improvements to the code base? https://roller.apache.org/

 - Did you know that tax-deductible donations support the ASF's day-to-day operations that benefit 350+ Apache Projects and their communities? Donate online using ACH, credit card, PayPal, Apple Pay, Google Pay, and Microsoft Pay https://donate.apache.org/

Apache Community Notices

 - The Apache Month in Review: November 2021 https://s.apache.org/November2021 and video highlights https://youtu.be/L1qMXw5MxJQ

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:38PM Dec 27, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache Weekly News Round-up: week ending 17 December 2021

We're wrapping up another great week with the following activities from the Apache community:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 19 January 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.99%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 346 Apache Committers changed 1,957,663 lines of code over 3,699 commits. Top 5 contributors, in order, are: Sebastian Bazley, Claus Ibsen, Owen Nichols, Gary Gregory, and Daniel Gruno.  

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Druid 0.22.1 released
 - Apache Calcite Avatica 1.20.0 released
 - Apache NiFi 1.15.1 released
 - Apache Flink 1.14.2, 1.13.5, 1.12.7, and 1.11.6 released 

Build Management --
 - Apache Archiva 2.2.6 released

Content --
 - Apache Jackrabbit 2.21.9  released
 - Apache Tika 2.2.0 released
 - Apache PDFBox 2.0.25 released 

Databases --
 - Apache Geode 1.12.6, 1.13.5, and 1.14.1 released 

Enterprise Processes Automation / ERP --
 - Apache OFBiz 18.12.03 released

Identity Management --
 - Apache Fortress 2.0.7 released 

Integration --
 - Apache Camel 3.14.0 released

Libraries --
 - Apache Log4j 2.12.2 and 2.16.0 released
   -- CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
   -- CVE-2021-45046: Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

Search --
 - Apache Solr 8.11.1 released 

Servers --
 - Apache HttpComponents HttpAsyncClient 4.1.5 GA released 

Testing --
 - Apache JMeter 5.4.2 released 

Web Frameworks --
 - Apache Struts 2.5.28 released

Did You Know?

 - Did you know that the Apache Logging Services Project Management Committee (PMC) worked around the clock to release v.2.15.0 and v2.16.0 to address the critical Log4j RCE vulnerability? https://logging.apache.org/log4j/2.x/

 - Did you know that many Apache Projects and their communities have provided patches, fixes, or guidelines for their users to mitigate the recent Apache Log4j Zero Day vulnerability? Check the list of Apache Projects affected by the Log4j CVE https://blogs.apache.org/security/entry/cve-2021-44228 , and read our published statement and FAQs at https://blogs.apache.org/foundation/entry/apache-log4j-cves for more information.

 - Did you know that the Apache Local Chapter/Beijing recently celebrated its 2-year anniversary, joining Indore (2.5 years), Warsaw and Budapest (1.5 years), Lagos (4 months), and Shenzhen (launching this week!)? 

- Did you know that individuals and organizations can support the ASF through one-time and recurring tax-deductible donations online using ACH, credit card, and PayPal, as well as Apple Pay, Google Pay, and Microsoft Pay (using your mobile device)? https://donate.apache.org/

Apache Community Notices

 - The Apache Month in Review: November 2021 https://s.apache.org/November2021 and video highlights https://youtu.be/L1qMXw5MxJQ

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:14PM Dec 20, 2021 by Swapnil M Mane in Newsletter  |   | 

Apache Log4j CVEs

The Apache Software Foundation project Apache Logging Services has responded to a security vulnerability that is described in two CVEs, CVE-2021-44228 and CVE-2021-45046. In this post we’ll list the CVEs affecting Log4j and keep a list of frequently asked questions. 

The most recent CVE has been addressed in Apache Log4j 2.16.0, released on 13 December. We recommend that users update to 2.16.0 if possible. While the 2.15.0 release addressed the most severe vulnerability, the fix in Log4j 2.15.0 was incomplete in some non-default configurations and could allow an attacker to execute a denial of service (DoS) attack. Users still on Java 7 should upgrade to the Log4j 2.12.2 release. 

CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

In Apache Log4j2 versions up to and including 2.14.1, the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

See the entire description and history on the Apache Logging security page.

CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. 

This could allow attackers, in some situations, to craft malicious input data using a JNDI Lookup pattern resulting in a DoS attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.formatMsgNoLookups to true do NOT mitigate this specific vulnerability.

See the entire description and history on the Apache Logging security page.

CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

Apache Log4j 1.x has been end-of-life since August 2015. However, we are aware that it is still a dependency for some applications and in use in some environments. We have found that Log4j 1.2, if used in a non-default configuration with JMSAppender used to perform JNDI requests, is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.

This is not the same vulnerability described in the recent Log4j 2.x CVEs, but it could also result in remote code execution (RCE), so we are providing this information to make users aware of the vulnerability and urge them to upgrade to Log4j 2.16.0 or 2.12.2, or to take steps to mitigate the issue by disabling the use of JMSAppender to perform JNDI requests.

Frequently Asked Questions about the Log4j vulnerabilities

In this section we’ll try to address some of the most common questions that our community and press have had about the Log4j vulnerabilities. 

What about systems or applications with Log4j 1.x?

While the Log4j 1.x series is not known to be affected by the two CVEs above, it has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.

How many systems have been impacted or how widespread is the impact of this CVE?

Log4j, like all software distributed by the Apache Software Foundation, is open source. It’s been distributed via a mirror system for many years and then more recently via a Content Delivery Network (CDN) directly to users and developers, and also to organizations who have then shipped it as part of their projects, products or services. 

We know that Log4j is included in a number of ASF projects, other open source projects and a number of products and services. But beyond that any numbers would merely be speculation and most likely wrong by a wide margin.

Are any other Apache projects impacted by the Log4j vulnerabilities?

Yes. The Apache Security Team has compiled a list of projects that are known to be affected with links to updates if available. See the Apache projects affected by log4j CVE-2021-44228 blog post.

Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.

How can I get help?

If you need help on building or configuring Log4j or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Log4j Users mailing list

If you have encountered an unlisted security vulnerability or other unexpected behavior that has security impact, or if the descriptions here are incomplete, please report them privately to the Log4j Security Team. Thank you.

Posted at 11:37PM Dec 14, 2021 by Joe Brockmeier in General  |   | 

The Apache Weekly News Round-up: week ending 10 December 2021

Hello, everyone --let's review the Apache community's activities from over the past week:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 15 December 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.80%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 286 Apache Committers changed 2,227,208 lines of code over 2,986 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Mark Thomas, Sylwester Lachiewicz, Andi Huber, and Claus Ibsen.

Apache Project Announcements – the latest updates by category.

Apache Attic --provides process and solutions when an Apache project has reached its end of life.
 - Apache Joshua is now retired

Big Data --
 - Apache Kyuubi (incubating) 1.4.0-incubating released

IDE --
 - Apache NetBeans 12.6 released

Libraries --
 - Apache Daffodil 3.2.0 released
 - Apache Log4j 2.15.0 released
   -- CVE-2021-44228: JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Observability --
- Apache SkyWalking 8.9.0, Satellite 0.4.0, and Kubernetes 4.2.0 released

Programming Languages --
 - Apache Groovy 4.0.0-rc-1 released

Search --
 - Apache Lucene 9.0.0 released

Servers --
 - Apache Tomcat 10.1.0-M8 (alpha), 10.0.14, and 9.0.56 released
 - Apache HttpComponents Core 4.4.15 released

Did You Know?

 - Did you know that Banco Central Do Brasil uses Apache Wicket for its Central Bank's Circulation Management System?

 - Did you know that the Apache Pinot Annual Recap and Roadmap MeetUp has been rescheduled to 13 December?

 - Did you know that individuals and organizations can support the ASF through one-time and repeat donations (weekly/monthly/quarterly/annually) online using ACH, credit card, and PayPal, as well as Apple Pay, Google Pay, and Microsoft Pay (using your mobile device)? https://donate.apache.org/

Apache Community Notices

 - The Apache Month in Review: November 2021 https://s.apache.org/November2021 and video highlights https://youtu.be/L1qMXw5MxJQ

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 09:43PM Dec 13, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache Weekly News Round-up: week ending 3 December 2021

Welcome, December --we're opening the month with another great week. Here's what the Apache community has been up to:

Apache Month in Review – a round-up of our Round-ups and other newsworthy bits over the past month.
 - November Month in Review

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 15 December 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.74%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 286 Apache Committers changed 9,525,136 lines of code over 4,725 commits. Top 5 contributors, in order, are: Krist Wongsuphasawat, Jesse Yang, Yongjie Zhao, Gary Gregory, and Ville Brofeldt.

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache APISIX 2.11.0 released

Web Frameworks -
 - Apache Wicket 9.7.0 released

Did You Know?

 - Did you know that the following Apache Projects are celebrating anniversaries this month? Congratulations to Apache Ant (19 years); HttpComponents (14 years); Attic, Buildr, CouchDB, and Qpid (13 years); Community Development (12 years); OODT and ZooKeeper (11 years); Kafka and Syncope (9 years); Ambari (8 years); BookKeeper and Drill (7 years); Brooklyn, Groovy, Kylin, and REEF (6 years); Geode (5 years); Guacamole and Impala (4 years); Griffin (3 years); Petri (2 years); Superset and TVM (1 year)!

 - Did you know that Apache Hudi enables streaming of hundreds of terabytes of data into data lakes each day?

 - Did you know that individual and corporate donations help the all-volunteer ASF continue to steward 350+ Apache Projects and their communities, and provide more than $22B worth of Apache software to the public good at 100% no charge? https://donate.apache.org/

Apache Community Notices

- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:50PM Dec 06, 2021 by Swapnil M Mane in Newsletter  |   | 

Apache Month in Review: November 2021

Welcome to the latest monthly overview of events from the Apache community. Here's a summary of what happened in November  [video highlights available] :

New This Month --

- Sponsor Success at Apache - the blog series that focuses on the people and processes behind why the ASF "just works", featuring insights and experiences from the perspective of select ASF Sponsors. The latest entry is "Exploration and Practice of the Apache Way in Tencent" by Mark Shan.

- Apache Month in Review: October 2021

Important Dates --

- Next Board Meeting: 15 December 2021. Board calendar and minutes

- Apache TVM TVMCon - 15-17 December 2021

Infrastructure --

In November, 628 Apache Committers changed 39,505,956 lines of code over 18,511 commits. The Committers with the top 5 highest contributions, in order, were: Krist Wongsuphasawat, Jesse Yang, Ville Brofeldt, Yongjie Zhao, and Mark Thomas. 

Project Releases and Updates --

New releases from Apache Airflow (Big Data); APISIX (API); Arrow (Big Data); Avro (Big Data); Beam (Big Data); Camel (Integration); CloudStack (Cloud Computing); Commons CLI (Libraries); DolphinScheduler (Workflow); Groovy (Programming Languages); HttpComponents (Servers); IoTDB (IoT); Jackrabbit (Content); JSPWiki (Content); Kafka (Big Data); Lucene (Search); MINA (Network Client/Server); NiFi (Big Data); OFBiz (Enterprise Processes Automation / ERP); Ozone (Big Data); POI (Content); Qpid (Messaging); ShardingSphere (Big Data); Skywalking (Application Performance Management); Solr (Search); Struts (Web Frameworks); Superset (Big Data); Tomcat (Servers); Traffic Control (Servers); Traffic Server (Servers); Wicket (Web Frameworks).

Apache Project Anniversaries in November: Apache Ant (19 years); HttpComponents (14 years); Attic, Buildr, CouchDB, and Qpid (13 years); Community Development ("ComDev", 12 years); OODT and ZooKeeper (11 years); Kafka and Syncope (9 years); Ambari (8 years); BookKeeper, Drill, and MetaModel (7 years); Brooklyn, Groovy, Kylin, and REEF (6 years); Geode (5 years); Guacamole, Impala, and Mnemonic (4 years); Griffin (3 years); Petri (2 years); and Superset and TVM (1 year). Many happy returns!

The Apache Incubator is the primary entry path for projects wishing to become an official part of the ASF. More than three dozen projects are currently undergoing development in the Apache Incubator.

# # #

To see our Weekly News Round-ups (published every Friday), visit https://blogs.apache.org/foundation/ and click on the calendar or hop directly to https://blogs.apache.org/foundation/category/Newsletter . For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. We appreciate your support!

Posted at 04:54PM Dec 01, 2021 by Swapnil M Mane in Newsletter  |   |