[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228, CVE-2021-45046
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Tue Dec 14 20:08:17 EST 2021
On 2021-12-14 19:56:24 +0000, Jim said:
> On 12/14/2021 11:39 AM, Stephen Hoffman wrote:
>> HPE has indicated that 3PAR and some other products are vulnerable to
>
> Seems HPE now reporting that the 3PAR StorServ is not vulnerable.
>
> https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120086en_us
You're looking at the "not vulnerable" list from HPE.
You'll also want to review the "vulnerable" list from HPE, for some
problematic 3PAR and XP apps.
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us
As for why log4j has this particular feature, there was a recent report
that the maintainers tried to remove these misfeatures, and ran afoul
of compatibility requirements.
The same-origin logic in this same neighborhood of code makes for an
interesting read, too—it's somewhere between un-robust and un-reliable.
There's what seems a robust workaround for the jndi flaw included with
the second of the two CVEs for the log4j code; with CVE-2021-45046.
This if you can't upgrade to the latest log4j.
zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list