[Info-vax] VSI Comments on OpenVMS-related Log4j2 vulnerability (CVE-2021-44228)
Arne Vajhøj
arne at vajhoej.dk
Wed Dec 15 13:36:57 EST 2021
On 12/15/2021 12:11 PM, Stephen Hoffman wrote:
> Seems that VSI and HPE Java distributions and VSI and HPE Tomcat are
> affected and either need to be zip-mitigated, or needs to be updated as
> that becomes available, based on that notice, too.
Neither HPE nor VSI Java comes with log4j. Java itself does not log
at all- it just provide its own logging framework for use.
Neither HPE nor VSI Tomcat comes with log4j. Tomcat use
java.util.logging aka jul aka jdk14 logging (in a customized flavor
called juli).
So they do not as product have the vulnerability and cannot
be fixed by updating.
But a Tomcat installation may very well have the vulnerability.
Nobody install Tomcat to just run Tomcat. Tomcat is installed to
run Java web application. And those web applications may use log4j.
And that applies to both third part Java web applications and
to home grown Java web applications.
So people should check.
A clean Tomcat install does not have any log4j in lib dir, but
log4j could have been put there after installation (to make it
available for all web apps instead of having to deploy it for each).
And every web app could have it - after war unpack it will be in
webapps/something/WEB-INF/lib.
And as stated previously look out for fatjars as well!
But that is not HPE/VSI responsibility - that is third party/home grower
responsibility.
Arne
More information about the Info-vax
mailing list