[Info-vax] VSI Comments on OpenVMS-related Log4j2 vulnerability (CVE-2021-44228)
Craig A. Berry
craigberry at nospam.mac.com
Wed Dec 15 13:49:02 EST 2021
On 12/15/21 12:24 PM, Arne Vajhøj wrote:
> On 12/15/2021 1:13 PM, Craig A. Berry wrote:
>> On 12/15/21 11:11 AM, Stephen Hoffman wrote:
>>> Seems that VSI and HPE Java distributions and VSI and HPE Tomcat are
>>> affected and either need to be zip-mitigated, or needs to be updated
>>> as that becomes available, based on that notice, too.
>>
>> Does the zip mitigation (deleting a class from a JAR) work on signed jar
>> files? I would have thought not since I would expect changing any
>> contents of a signed jar file would invalidate the signature.
>
> Changing the jar file will obviously invalidate the signature.
>
> But as far as I can see then log4j jars are not signed.
The application packager, not the library developer, has to do the
signing. So, for example, OpenWebStart apps have to sign all the
downloadable jars with the same code-signing certificate.
More information about the Info-vax
mailing list