[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Bill Gunshannon
bill.gunshannon at gmail.com
Tue Dec 14 12:41:32 EST 2021
On 12/14/21 12:31 PM, Dave Froble wrote:
> On 12/14/2021 9:11 AM, Bill Gunshannon wrote:
>> On 12/13/21 8:51 PM, Arne Vajhøj wrote:
>>>
>>
>> ...
>>
>>> The version of Java does not impact a bug in log4j more than
>>> the version of C compiler impact a buffer overrun in a C library.
>>
>> We keep hearing this mantra over and over. If it really is
>> such a problem why has no one ever bothered to write a new
>> library keeping the original APIs while internally removing
>> the overrun problem? Oh wait, someone did. Back in the early
>> 80's. On the PDP-11. For all the DEC OSes and Ultrix-11
>> and Version 7 Unix. And there was even a version for the VAX.
>> How did that work out?
>>
>> bill
>
> Way too many people don't really care about security ... until it bites
> them on the ass. Then they expect a law to be passed that will protect
> them. As if the hackers really care about laws.
>
> One moment I'll never forget. I was telling a customer that it would be
> a very bad idea for them to store their customer's data, bank account,
> credit card info, and such in plain text on a IIS server. The response
> was "why not, everyone else does". And they ignored my warning and did
> just that. Don't know the result, the business relationship didn't last
> much longer.
>
And then you have the cloud. Take all your data and place it in the
hands of someone you have no reason to trust.
bill
More information about the Info-vax
mailing list