[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Arne Vajhøj
arne at vajhoej.dk
Tue Dec 14 08:58:56 EST 2021
On 12/14/2021 8:33 AM, Craig A. Berry wrote:
> On 12/13/21 7:51 PM, Arne Vajhøj wrote:
>> The version of Java does not impact a bug in log4j more than
>> the version of C compiler impact a buffer overrun in a C library.
>
> Not true. From <https://www.openwall.com/lists/oss-security/2021/12/10/1>:
>
> ---
> Java 8u121 (see
> https://www.oracle.com/java/technologies/javase/8u121-relnotes.html)
> protects against remote code execution by defaulting
> "com.sun.jndi.rmi.object.trustURLCodebase" and
> "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
> ---
>
> So an up-to-date Java (currently I think 1.8.0_312-b07 for Java 8)
> mitigates (some of) the mayhem that can be caused by the vulnerability.
> Unless I missed one, the latest release from VSI is 1.8.0_222-b05, so
> people using Java 8 on VMS should consider getting that if they are
> using any older release of Java 8, including, IIRC, any release from HPE.
>
> But also note per this:
>
> <https://www.openwall.com/lists/oss-security/2021/12/10/2>
>
> that an updated Java protects against only one of several remote code
> execution vectors, so it's far from a complete fix, but the Java version
> certainly does impact the severity of the bug.
Ah. I stand corrected.
I actually did know that 8u121 did get some of the 9
deserialization protection features backported.
But I did not realize that it would help with this one.
That is good. Most Java 8 users should be way above u121.
Arne
More information about the Info-vax
mailing list