[Info-vax] VSI Comments on OpenVMS-related Log4j2 vulnerability (CVE-2021-44228)
Arne Vajhøj
arne at vajhoej.dk
Wed Dec 15 14:13:45 EST 2021
On 12/15/2021 11:17 AM, Bob Gezelter wrote:
> VMS Software has posted a bulletin about the recent Apache Log4j2
> V2.14.1 (or earlier) vulnerability (CVE-2021-44228) as it affects
> #OpenVMS systems, including remediation for VSI-provided software
> components.
>
>
> The full notice can be retrieved from:
> https://vmssoftware.com/about/news/2021-12-14-cve-2021-44228-comments/
> #Log4j2
They basically say that Tomcat and Kafka client does not use log4j.
And that Axis2 and ActiveMQ use log4j 1.x, which in general is not
good but in relation to this particular problem is good.
And refer a few third party products to third party.
But It is worth noting that this is the easy part.
There are only a few hundreds/thousands "platform products"
using log4j - vendors create patches - customers hopefully
install.
A much bigger problem is those hundreds of thousands/millions
of business applications using log4j from thousands/tens of thousands
of vendors. Just due to the numbers some will be missed.
And then there is the problem of "thingys" having a Java
application using log4j insider. Many people will not be
aware that they run Java. And they can be difficult to
update.
Arne
More information about the Info-vax
mailing list