This week's Java roundup for December 13th, 2021, features news from JDK 19, updates on the Log4Shell vulnerability, vendor statements on Log4Shell related to their products, point releases on various Spring-related projects and Hibernate, WildFly 26, Payara Platform, Quarkus 2.5.3.Final, Apache Camel 3.14.0, Piranha 21.11.0, and Apache Tika 2.2.0.
JDK 18
One week after JDK 18 had moved to Rampdown Phase One, it was a quiet week for JDK 18 build activity. More details through Build 27 may be found in the release notes.
JDK 19
Build 2 of the JDK 19 early-access builds was also made available this past week, featuring updates from Build 1 that include fixes to various issues.
For JDK 18 and JDK 19, developers are encouraged to report bugs via the Java Bug Database.
Log4Shell Vulnerability Updates
Two additional CVEs, CVE-2021-4104 and CVE-2021-45046, related to the original Log4Shell vulnerability, CVE-2021-44228, have been released to provide updated information
It was determined that Log4j 2.15.0, the version to have addressed CVE-2021-44228, the Log4Shell vulnerability, was incomplete as a vulnerability still existed in certain non-default configurations. As described in CVE-2021-45046:
This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example,
$${ctx:loginId}) or a Thread Context Map pattern (%X,%mdc, or%MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Vendor Statements to Log4Shell Vulnerability
Red Hat statement on Quarkus:
Since Quarkus, its extensions, and dependencies do not use the log4j version 2 core library, it is NOT susceptible to this vulnerability. In most cases, no corrective action is required for any Quarkus backed projects you may have.
Red Hat statement on WildFly:
This vulnerability is in code in the Log4j 2
org.apache.logging.log4j:log4j-coreartifact. The WildFly application server project does not ship this artifact, and it never has. So, the only way an application running on WildFly would be vulnerable to the CVE-2021-44228 vulnerability is if the log4j-core artifact has been added to the server installation, either via a user-provided JBoss Modules module, or more likely by packaging log4j-core in an application deployment artifact.
Tomitribe statement on Tomcat, TomEE and ActiveMQ that includes a detailed description of the vulnerability and how to test:
Tomcat, TomEE, and ActiveMQ themselves do not ship with log4j2, so running out-of-the-box with their default configuration they are not vulnerable to this issue.
Hibernate statement on Hibernate projects:
Hibernate projects are not affected by the vulnerabilities behind CVE-2021-45046 and CVE-2021-44228: none of the Hibernate projects has a runtime dependency on Log4j core.
We use JBoss Logging, which provides a minimal API bridging to your logger backend of choice and does not come with fancy features relying on JNDI lookups.
Object Computing, Inc. statement on Micronaut Framework:
By default, Micronaut applications use Logback. Thus, most Micronaut applications are not affected.
However, your application would be vulnerable if it includes untrusted input in the log messages and pulls
log4j-coreas a transitive dependency.
Apache Software Foundation statement on Apache Camel in production:
Apache Camel does not directly depend on Log4j 2, so we are not affected by CVE-2021-44228.
If you explicitly added the Log4j 2 dependency to your own applications, make sure to upgrade.
The IBM statement on Open Liberty provides a guide on Log4j CVE-2021-44228, CVE-2021-4104 and CVE-2021-45046 including a number of FAQs:
Open Liberty does not ship log4j and as a result any data logged by Open Liberty will not put you at risk. However, log4j is a widely used framework and your applications may make use of Log4J, as a result we have prepared the following Q&A for developers seeking advice.
Spring Framework
It was a busy week over at Spring as a number of point and milestone releases were made for some of their projects.
Spring Framework 5.3.14 and 5.2.19 have been released featuring 36 bug fixes and improvements and 11 bug fixes and improvements, respectively.
On the road to Spring Framework 6.0, the first milestone release was made available that builds the foundation to require JDK 17+ and Jakarta EE 9. Part of the new infrastructure will also include a cleanup of deprecated and outdated features. Developers are encouraged to review the upgrade page and further details may be found in this InfoQ news story.
Spring Cloud 2020.0.5, codenamed Ilford, has been released to include upgrades to the Spring Cloud sub projects such as Spring Cloud Kubernetes, Spring Cloud Gateway, Spring Cloud Vault and Spring Cloud Config.
The fourth milestone release of Spring GraphQL 1.0.0 was made available that ships with improvements in the annotation programming model and extended Spring Data support from Spring GraphQL 1.0.0-M3. New features in Spring GraphQL 1.0.0-M4 include interface projections and standard bean validation for GraphQL arguments, and support for Query by Example.
Spring Cloud Square 0.4.0-RC1 has been made available as a bug fix release. Further details may be found in the release notes.
WildFly
Red Hat has released WildFly 26 and WildFly Preview 26 featuring: support for MicroProfile 5.0; improved cloud configuration by allowing developers to override management attribute values using environmental variables; and a new JAAS security realm type in the Elytron subsystem. More details may be found in the list of issues.
The WildFly 26 Source-to-Image (S2I) Docker images have been released on quay.io, Red Hat's utility to build, analyze and distribute container images. These images now deprecate the quay.io/wildfly/wildfly-centos7 and quay.io/wildfly/wildfly-runtime-centos7 images.
Payara
Payara has released their December 2021 edition of the Payara Platform. The Payara Platform Community 5.2021.10 edition includes six improvements, one security fix, seven bug fixes, and two component upgrades. The Payara Platform Enterprise 5.34.0 edition includes seven improvements, one security fix, eight bug fixes, and one component upgrade.
The security fix for both editions addresses CVE-2021-40690, a vulnerability identified in versions of Apache Santuario prior to 2.2.3 and 2.1.7 in which the secureValidation property is incorrectly passed upon creation of KeyInfo and KeyInfoReference classes. This allows an attacker to abuse an XPath Transform to extract local .xml files in a RetrievalMethod element.
More details may be found in the release notes for the Community and Enterprise editions.
Hibernate
Hibernate Reactive 1.1.1.Final has been released featuring support for Hibernate ORM 5.6.2.Final. More details may be found in the list of issues.
Maintenance releases of Hibernate Validator 6.2.1.Final and 7.0.2.Final were made available this past week. Despite the fact that all Hibernate projects ship with JBoss Logging, Log4j2 remains a test dependency and it was determined that security scans are not as fine-grained as they could be.
Quarkus
A third maintenance release, Quarkus 2.5.3.Final, was made available by Red Hat featuring numerous bug fixes and improvements in documentation. Further details may be found in the changelog.
Apache Camel
Apache Camel 3.14.0 was made available with 111 new features, improvements and bug fixes. This is the last version to support JDK 8. More details may be found in the release notes.
Piranha
Piranha 21.11.0 has been released. Dubbed the "Are we there yet?" edition, this release features Maven plugins for Piranha Micro and Piranha Server. Further details may be found in their documentation and issue tracker.
Apache Tika
Apache Tika has released version 2.2.0 of their metadata extraction toolkit. Formerly a subproject of Apache Lucene, this latest version includes: an upgrade to log4j 2.15.0, a new parser for OneNote files downloaded from Office365; numerous improvements to file detection such as JPEG XL, MARC, ICC Profiles; and improvements to the tika-pipes modules.