[Info-vax] VSI Comments on OpenVMS-related Log4j2 vulnerability (CVE-2021-44228)
Arne Vajhøj
arne at vajhoej.dk
Wed Dec 15 14:00:37 EST 2021
On 12/15/2021 1:49 PM, Craig A. Berry wrote:
> On 12/15/21 12:24 PM, Arne Vajhøj wrote:
>> On 12/15/2021 1:13 PM, Craig A. Berry wrote:
>>> On 12/15/21 11:11 AM, Stephen Hoffman wrote:
>>>> Seems that VSI and HPE Java distributions and VSI and HPE Tomcat are
>>>> affected and either need to be zip-mitigated, or needs to be updated
>>>> as that becomes available, based on that notice, too.
>>>
>>> Does the zip mitigation (deleting a class from a JAR) work on signed jar
>>> files? I would have thought not since I would expect changing any
>>> contents of a signed jar file would invalidate the signature.
>>
>> Changing the jar file will obviously invalidate the signature.
>>
>> But as far as I can see then log4j jars are not signed.
>
> The application packager, not the library developer, has to do the
> signing. So, for example, OpenWebStart apps have to sign all the
> downloadable jars with the same code-signing certificate.
In that case you will need to have that signer sign the modified
version.
I know very little about Java Web Start, but I would have thought that
it ran with a security manager preventing both access to remote
systems and local access.
Arne
More information about the Info-vax
mailing list