[Info-vax] VSI Comments on OpenVMS-related Log4j2 vulnerability (CVE-2021-44228)
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed Dec 15 13:28:03 EST 2021
On 2021-12-15 17:52:25 +0000, hb said:
> On 12/15/21 6:11 PM, Stephen Hoffman wrote:
>
>> Seems that VSI and HPE Java distributions and VSI and HPE Tomcat are
>> affected and either need to be zip-mitigated, or needs to be updated as
>> that becomes available, based on that notice, too.
>
> As far as I know, VSI and HPE Tomcat, aka CSWS_JAVA, are based on Apache
> Tomcat and the latter is not affected:
> https://cwiki.apache.org/confluence/display/TOMCAT/Security#Security-Q13.
>
> Whether applications deployed to Tomcat use log4j2 is a different question.
Okay. Sure. Tomcat itself is not vulnerable. Alas, approximately nobody
uses that configuration. Which means that apps using Tomcat will have
to be checked. Which usually means zip mitigation, or updates.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list