[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Arne Vajhøj
arne at vajhoej.dk
Mon Dec 13 20:51:48 EST 2021
On 12/13/2021 4:12 PM, Stephen Hoffman wrote:
> Java and log4j / log4shell (CVE-2021-44228) remote command execution
> vulnerability
>
> intro: https://www.lawfareblog.com/whats-deal-log4shell-security-nightmare
>
> Base OpenVMS itself does not include Java, though add-on apps and
> layered products can have dependencies and can install Java.
>
> If you have Java installed anywhere on OpenVMS (try DIRECTORY
> ddcu:[*...]JAVA*, etc), you will need to evaluate your configuration in
> more detail.
>
> You'll want to evaluate other components and services around your
> servers, as well.
>
> List of possibly-effected services and apps:
> https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592#file-20211210-tlp-white_log4j-md
>
> Reportedly, all versions of Java are vulnerable when log4i is present
> and reachable, and exploits are active and under development.
>
> It appears there are efforts underway to create worms using this
> vulnerability, as well.
"all versions of Java are vulnerable when log4j is present and reachable"
is a funny description.
It is a vulnerability for all running Java applications using
log4j 2.0 - 2.14.1 that logs user input.
That is serious. A very large portion of Java server applications
(think 50% magnitude!) use log4j and it seems likely that most of
them have potential for logging user input (user input is important
when troubleshooting).
The version of Java does not impact a bug in log4j more than
the version of C compiler impact a buffer overrun in a C library.
Note that log4j 2.x does not run on VMS Alpha due to too old Java
version (2.0 - 2.3 requires Java 6, 2.4 - 2.12.1 requires Java 7 and
2.13 and newer requires Java 8).
And log4j 1.x is not vulnerable to this bug. But it is out of
support and has other vulnerabilities, so it is not a good
version to be on.
But anybody running a Java application on Itanium that uses
log4j 2.x better upgrade to 2.15 or newer (latest as of today
is 2.16).
To check:
$ dir [whereever...]log4j-core-2.*.jar
should reveal any log4j 2.x present ion that tree.
Every system manager would (hopefully) know whether Java
is installed or not - but very few will know offhand
which applications use log4j, so you better check!!
Arne
More information about the Info-vax
mailing list