The Arvados team is pleased to announce Arvados 2.4.2.
This release includes a critical security update to address vulnerability GHSL-2022-063, described below. We strongly recommend that all installations of Arvados, especially those accessible via the public Internet, upgrade to 2.4.2 as soon as possible. See Upgrading Arvados for upgrade instructions.
In addition, this release includes several performance improvements, usability improvements, and bug fixes.
Security updates
GHSL-2022-063
GitHub Security Lab (GHSL) reported a remote code execution (RCE) vulnerability in the Arvados Workbench that allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads.
This vulnerability is fixed in 2.4.2 (#19316)
It is likely that this vulnerability exists in all versions of Arvados up to 2.4.1.
This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack.
CVE-2022-31163 and CVE-2022-32224
As a precaution, Arvados 2.4.2 has includes security updates for Ruby on Rails and the TZInfo Ruby gem. However, there are no known exploits in Arvados based on these CVEs.
New Features
The “Type” column filters in the Workbench 2 Projects view are now expanded by default, and intermediate workflow steps are now hidden by default.
In Workbench 2, after adding a metadata element to a Project or Collection, the “key” is not cleared and focus remains on the “value” field, making it easier to enter multiple values for the same key.
There is now a configuration option for admins to disable the user interface for the “sharing link” feature (URLs which can be sent to users to access the data in a specific collection in Arvados without an Arvados account), for organizations where sharing links violate their data sharing policy.
Workflow logs on Workbench 2 now show “Main logs” by default, which is a combination of the crunch-run, stdout and stderr logs. Following scrolling has also been improved.
Workbench 2 now features a new panel showing the command line used to invoke a workflow or workflow step.
Workbench 2 now has options for smaller page sizes (10 and 20 items) to speed up loading project contents.
Added new method to the Java SDK to upload files via Keep Web API. The Java SDK uses config parameter to fetch api token in KeepClient.
Bug Fixes
Fixed an internal, silent failure in keep-web that would prevent use of the manifest cache after keep-web was running for a while, resulting in poor performance accessing files in Keep via HTTP, WebDAV and S3 APIs until the service was restarted. keep-web now correctly uses the cache and maintains consistent performance.
In the Workbench 2 collection file browser, following the URL resulting from “Copy to clipboard” will now open the file content in the browser, instead of forcing a file download.
Workbench 2 advanced search by metadata property now works as intended, instead of returning an error.
When using the “breadcrumbs bar” to edit Project properties, the existing metadata properties are now loaded correctly.
Fixed Python SDK bug in Collection.remove where the recursive flag was not propagated, preventing removal of more than one level of directories. Recursively removing deep directory trees in Collections now works as intended.
When navigating to destination on Workbench 2 but not logged in, the user is redirected to a login page, and after logging in, now correctly navigated back to the page they intended to visit.
Workbench 2 “All processes” and “Subprocesses” panels now load faster by limiting which fields of the container record are requested.
When launching a workflow on Workbench 1, workflow inputs with “enum” type are now displayed and set correctly.
When submitting very large workflows with arvados-cwl-runner, particularly those defined entirely in a single file, the time spent in initialization (before the first workflow step is submitted) has been greatly reduced.
Thanks,
The Arvados Team