[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Tue Dec 14 11:39:04 EST 2021
On 2021-12-14 13:33:40 +0000, Craig A. Berry said:
> So an up-to-date Java (currently I think 1.8.0_312-b07 for Java 8)
> mitigates (some of) the mayhem that can be caused by the vulnerability.
> Unless I missed one, the latest release from VSI is 1.8.0_222-b05, so
> people using Java 8 on VMS should consider getting that if they are
> using any older release of Java 8, including, IIRC, any release from
> HPE.
Reports that all versions of Java are vulnerable to exploitation when
log4j is accessible. Early reports that Java 8 and newer were not
vulnerable were later found incorrect.
There are mitigations posted, though some of those are seemingly now
getting bypassed.
There's ransomware active now, too.
HPE has indicated that 3PAR and some other products are vulnerable to
this mess, and has posted a list of not-vulnerable products.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list