[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228

[David Turner]

So the vulnerability is there. How would one take advantage of it anyway?
Wouldn't you need a privileged account to even get into the server to 
start taking advantage of the flaws?
Assuming one is pretty careful about access to the network, and the 
directory permissions are controlled, wouldn't it be hard to get to do 
any damage?

Curious as I cannot find much information outside of the warning. I 
guess no one wants to give hackers the keys to the rolls....

DT

>>>> The version of Java does not impact a bug in log4j more than
>>>> the version of C compiler impact a buffer overrun in a C library.
>>>
>>> We keep hearing this mantra over and over.  If it really is
>>> such a problem why has no one ever bothered to write a new
>>> library keeping the original APIs while internally removing
>>> the overrun problem?  Oh wait, someone did. Back in the early
>>> 80's.  On the PDP-11.  For all the DEC OSes and Ultrix-11
>>> and Version 7 Unix.  And there was even a version for the VAX.
>>> How did that work out?
>>>
>>> bill
>>
>> Way too many people don't really care about security ... until it 
>> bites them on the ass.  Then they expect a law to be passed that will 
>> protect them.  As if the hackers really care about laws.
>>
>> One moment I'll never forget.  I was telling a customer that it would 
>> be a very bad idea for them to store their customer's data, bank 
>> account, credit card info, and such in plain text on a IIS server.  
>> The response was "why not, everyone else does". And they ignored my 
>> warning and did just that.  Don't know the result, the business 
>> relationship didn't last much longer.
>>
>
> And then you have the cloud.  Take all your data and place it in the
> hands of someone you have no reason to trust.
>
> bill
>
So