Page MenuHomePhabricator
Create Task
Maniphest T298183

Upgrade OpenRefine on PAWS to version 3.5.1 (log4j related upgrade)
Closed, ResolvedPublic
Actions

Description

OpenRefine has very recently released a 3.5.1 version due to the recent log4j vulnerabilities. It's probably a good idea to upgrade our OpenRefine instance on PAWS as well.

(According to discussion on the OpenRefine mailing list, OpenRefine 3.5.0, which is the current version on PAWS, shipped with log4j 1.2.16, which was allegedly not affected by the vulnerability?)

Related Objects

Event Timeline

Spinster created this task.Dec 22 2021, 8:18 AM
taavi added a project: Patch-For-Review.Dec 22 2021, 8:23 AM
taavi subscribed.

https://github.com/toolforge/paws/pull/121

taavi mentioned this in rPAWS064860dbdf45: images/singleuser: Bump OpenRefine to 3.5.1.Dec 22 2021, 8:43 AM
taavi merged a task: T298275: New upstream release for OpenRefine.Dec 23 2021, 10:10 PM
taavi added a subscriber: LibUp-bot.
Chicocvenancio subscribed.Dec 24 2021, 2:25 PM

All for the upgrade but just for the record I don't see a path for exploitation here. All requests to openrefine go through the proxy and only authenticated requests pass. And if you're authenticated into a user server, well RCE is the main feature for jupyterhub.

taavi closed this task as Resolved.Dec 28 2021, 2:24 PM
taavi claimed this task.
Spinster reopened this task as Open.Dec 29 2021, 1:38 PM

When I load OpenRefine on PAWS, it still asks to upgrade to 3.5.1 so I have the impression that this task is not resolved yet.

image.png (68×832 px, 28 KB)

taavi closed this task as Resolved.Dec 29 2021, 1:43 PM
In T298183#7591172, @Spinster wrote:

When I load OpenRefine on PAWS, it still asks to upgrade to 3.5.1 so I have the impression that this task is not resolved yet.

You need to restart your server for the updated singleuser image to take effect.

Spinster added a comment.Dec 30 2021, 11:29 AM
In T298183#7591180, @Majavah wrote:
In T298183#7591172, @Spinster wrote:

When I load OpenRefine on PAWS, it still asks to upgrade to 3.5.1 so I have the impression that this task is not resolved yet.

You need to restart your server for the updated singleuser image to take effect.

Indeed! Thank you so much 🙏

taavi removed a project: Patch-For-Review.Dec 30 2021, 11:30 AM
Alicia_Fagerving_WMSE subscribed.Jan 12 2022, 8:15 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL