[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Arne Vajhøj
arne at vajhoej.dk
Tue Dec 14 13:05:08 EST 2021
On 12/14/2021 12:43 PM, Craig A. Berry wrote:
> On 12/14/21 10:51 AM, Arne Vajhøj wrote:
>> On 12/14/2021 11:39 AM, Stephen Hoffman wrote:
>>> Early reports that Java 8 and newer were not vulnerable were later
>>> found incorrect.
>>
>> So you are saying that the deserialization protections done in 9 and
>> backported to 8u121 are not enough to prevent this vulnerability?
>
> Those protections block one of several deserialization mechanisms. It
> helps a little for what I understand to be the easiest way to execute
> remote code. But we're way beyond what's easiest for the state actors
> and others who are investing a lot of resources into exploiting this in
> the wild. So do upgrade Java. But don't stop there.
The best obviously is to upgrade log4j.
Nobody needs that feature causing the vulnerability (obviously
except whoever introduced it).
Arne
More information about the Info-vax
mailing list