[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Dave Froble
davef at tsoft-inc.com
Tue Dec 14 12:31:52 EST 2021
On 12/14/2021 9:11 AM, Bill Gunshannon wrote:
> On 12/13/21 8:51 PM, Arne Vajhøj wrote:
>>
>
> ...
>
>> The version of Java does not impact a bug in log4j more than
>> the version of C compiler impact a buffer overrun in a C library.
>
> We keep hearing this mantra over and over. If it really is
> such a problem why has no one ever bothered to write a new
> library keeping the original APIs while internally removing
> the overrun problem? Oh wait, someone did. Back in the early
> 80's. On the PDP-11. For all the DEC OSes and Ultrix-11
> and Version 7 Unix. And there was even a version for the VAX.
> How did that work out?
>
> bill
Way too many people don't really care about security ... until it bites them on
the ass. Then they expect a law to be passed that will protect them. As if the
hackers really care about laws.
One moment I'll never forget. I was telling a customer that it would be a very
bad idea for them to store their customer's data, bank account, credit card
info, and such in plain text on a IIS server. The response was "why not,
everyone else does". And they ignored my warning and did just that. Don't know
the result, the business relationship didn't last much longer.
--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
More information about the Info-vax
mailing list