[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Mon Dec 13 16:12:24 EST 2021
Java and log4j / log4shell (CVE-2021-44228) remote command execution
vulnerability
intro: https://www.lawfareblog.com/whats-deal-log4shell-security-nightmare
Base OpenVMS itself does not include Java, though add-on apps and
layered products can have dependencies and can install Java.
If you have Java installed anywhere on OpenVMS (try DIRECTORY
ddcu:[*...]JAVA*, etc), you will need to evaluate your configuration in
more detail.
You'll want to evaluate other components and services around your
servers, as well.
List of possibly-effected services and apps:
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592#file-20211210-tlp-white_log4j-md
Reportedly, all versions of Java are vulnerable when log4i is present
and reachable, and exploits are active and under development.
It appears there are efforts underway to create worms using this
vulnerability, as well.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list