[Info-vax] VSI Comments on OpenVMS-related Log4j2 vulnerability (CVE-2021-44228)
Craig A. Berry
craigberry at nospam.mac.com
Wed Dec 15 13:45:39 EST 2021
On 12/15/21 12:28 PM, Stephen Hoffman wrote:
> On 2021-12-15 17:52:25 +0000, hb said:
>
>> On 12/15/21 6:11 PM, Stephen Hoffman wrote:
>>
>>> Seems that VSI and HPE Java distributions and VSI and HPE Tomcat are
>>> affected and either need to be zip-mitigated, or needs to be updated as
>>> that becomes available, based on that notice, too.
>>
>> As far as I know, VSI and HPE Tomcat, aka CSWS_JAVA, are based on Apache
>> Tomcat and the latter is not affected:
>> https://cwiki.apache.org/confluence/display/TOMCAT/Security#Security-Q13.
>>
>> Whether applications deployed to Tomcat use log4j2 is a different
>> question.
>
> Okay. Sure. Tomcat itself is not vulnerable. Alas, approximately nobody
> uses that configuration. Which means that apps using Tomcat will have to
> be checked. Which usually means zip mitigation, or updates.
Or changes to the configuration to prevent lookups, which can sometimes
be done my a simple replacement in the configuration file:
perl -pi -e 's/\%m\b/%m{noLookups}/g;' log4j2.xml
or by tweaking various environment variables to do the equivalent. But
just as a finger in the dike until an updated log4j can be incorporated
into the relevant package.
More information about the Info-vax
mailing list