[Info-vax] VSI Comments on OpenVMS-related Log4j2 vulnerability (CVE-2021-44228)
Craig A. Berry
craigberry at nospam.mac.com
Wed Dec 15 13:13:24 EST 2021
On 12/15/21 11:11 AM, Stephen Hoffman wrote:
> Seems that VSI and HPE Java distributions and VSI and HPE Tomcat are
> affected and either need to be zip-mitigated, or needs to be updated as
> that becomes available, based on that notice, too.
Does the zip mitigation (deleting a class from a JAR) work on signed jar
files? I would have thought not since I would expect changing any
contents of a signed jar file would invalidate the signature. Which
means waiting for the signer, in many cases a third party, to fix their
code and re-sign it. Or seek other mitigations.
More information about the Info-vax
mailing list