[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Arne Vajhøj
arne at vajhoej.dk
Tue Dec 14 20:22:05 EST 2021
On 12/14/2021 3:12 PM, Simon Clubley wrote:
> On 2021-12-14, Arne Vajhøj <arne at vajhoej.dk> wrote:
>> The best obviously is to upgrade log4j.
>>
>> Nobody needs that feature causing the vulnerability (obviously
>> except whoever introduced it).
>
> I wonder how that feature got past a design review ?
Good question. It should not have.
> I wonder if there were too many layers involved for someone to be
> able to connect the dots ?
There are some code in loggers, but the architecture is pretty simple:
|--multiple formatters
core--|
|--multiple appenders
Arne
More information about the Info-vax
mailing list