[Info-vax] VSI Comments on OpenVMS-related Log4j2 vulnerability (CVE-2021-44228)
Arne Vajhøj
arne at vajhoej.dk
Wed Dec 15 13:24:50 EST 2021
On 12/15/2021 1:13 PM, Craig A. Berry wrote:
> On 12/15/21 11:11 AM, Stephen Hoffman wrote:
>> Seems that VSI and HPE Java distributions and VSI and HPE Tomcat are
>> affected and either need to be zip-mitigated, or needs to be updated
>> as that becomes available, based on that notice, too.
>
> Does the zip mitigation (deleting a class from a JAR) work on signed jar
> files? I would have thought not since I would expect changing any
> contents of a signed jar file would invalidate the signature.
Changing the jar file will obviously invalidate the signature.
But as far as I can see then log4j jars are not signed.
Arne
More information about the Info-vax
mailing list