[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Arne Vajhøj
arne at vajhoej.dk
Tue Dec 14 11:51:25 EST 2021
On 12/14/2021 11:39 AM, Stephen Hoffman wrote:
> On 2021-12-14 13:33:40 +0000, Craig A. Berry said:
>
>> So an up-to-date Java (currently I think 1.8.0_312-b07 for Java 8)
>> mitigates (some of) the mayhem that can be caused by the
>> vulnerability. Unless I missed one, the latest release from VSI is
>> 1.8.0_222-b05, so people using Java 8 on VMS should consider getting
>> that if they are using any older release of Java 8, including, IIRC,
>> any release from HPE.
>
> Reports that all versions of Java are vulnerable to exploitation when
> log4j is accessible.
"accessible"
Why not just say "used".
> Early reports that Java 8 and newer were not
> vulnerable were later found incorrect.
So you are saying that the deserialization protections done in 9 and
backported to 8u121 are not enough to prevent this vulnerability?
Arne
More information about the Info-vax
mailing list