[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Arne Vajhøj
arne at vajhoej.dk
Fri Dec 31 09:02:58 EST 2021
On 12/31/2021 5:24 AM, Simon Clubley wrote:
> On 2021-12-30, Arne Vajhøj <arne at vajhoej.dk> wrote:
>> On 12/20/2021 2:23 PM, Simon Clubley wrote:
>>> On 2021-12-20, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>>> (Hoff already mentioned that one)
>>>
>>> I missed that. Sorry. :-)
>>
>> And they found yet another vulnerability so now 2.17.1 is out.
>>
>
> On the plus side, at least the discoveries are getting further apart. :-)
>
> As a gentle reminder to everyone, this is what awaits VMS if the
> researchers turn their attention to it. Log4j was in use for years
> and only after researchers turned their attention to it, did these
> longstanding issues get discovered.
It is clear that when some software get a lot of attention then
problems tend to be found.
VMS is not quite as attractive as log4j though.
> I'm sure that when the vulnerable Log4j versions were introduced,
> everyone continued to use it without thinking that they may have
> just introduced a vulnerability into their application.
I believe it has been there since 2.0.
2.x API is different from 1.x API, but 2.x comes with a bridge
that supports 1.x API so maybe old applications that were upgraded
from 1.x to 2.x using the bridge is also impacted.
Obviously people were unaware of the problems.
And the vast majority (like 99.99%) have never used the features
that are causing the problems.
Arne
More information about the Info-vax
mailing list