[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Craig A. Berry
craigberry at nospam.mac.com
Tue Dec 14 08:33:40 EST 2021
On 12/13/21 7:51 PM, Arne Vajhøj wrote:
> On 12/13/2021 4:12 PM, Stephen Hoffman wrote:
> The version of Java does not impact a bug in log4j more than
> the version of C compiler impact a buffer overrun in a C library.
Not true. From <https://www.openwall.com/lists/oss-security/2021/12/10/1>:
---
Java 8u121 (see
https://www.oracle.com/java/technologies/javase/8u121-relnotes.html)
protects against remote code execution by defaulting
"com.sun.jndi.rmi.object.trustURLCodebase" and
"com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
---
So an up-to-date Java (currently I think 1.8.0_312-b07 for Java 8)
mitigates (some of) the mayhem that can be caused by the vulnerability.
Unless I missed one, the latest release from VSI is 1.8.0_222-b05, so
people using Java 8 on VMS should consider getting that if they are
using any older release of Java 8, including, IIRC, any release from HPE.
But also note per this:
<https://www.openwall.com/lists/oss-security/2021/12/10/2>
that an updated Java protects against only one of several remote code
execution vectors, so it's far from a complete fix, but the Java version
certainly does impact the severity of the bug.
More information about the Info-vax
mailing list