[Info-vax] VSI Comments on OpenVMS-related Log4j2 vulnerability (CVE-2021-44228)
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed Dec 15 12:11:34 EST 2021
On 2021-12-15 16:17:04 +0000, Bob Gezelter said:
> VMS Software has posted a bulletin about the recent Apache Log4j2
> V2.14.1 (or earlier) vulnerability (CVE-2021-44228) as it affects
> #OpenVMS systems, including remediation for VSI-provided software
> components.
>
> The full notice can be retrieved from:
> https://vmssoftware.com/about/news/2021-12-14-cve-2021-44228-comments/
The zip command shown is twice wrong unfortunately, the mitigations
other than zip or patching to current are no longer being recommended
AFAICT, and the VSI bulletin is unfortunately missing mention of the
CVE-2021-45046 and CVE-2021-4104 vulnerabilities.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
That the VSI bulletin doesn't mention the HPE 3PAR and XP
vulnerabilities is certainly understandable in some ways, but is also
less than helpful in others.
Seems that VSI and HPE Java distributions and VSI and HPE Tomcat are
affected and either need to be zip-mitigated, or needs to be updated as
that becomes available, based on that notice, too.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list