[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
John Reagan
xyzzy1959 at gmail.com
Thu Jan 6 20:02:05 EST 2022
On Thursday, January 6, 2022 at 6:54:59 PM UTC-5, Arne Vajhøj wrote:
> On 1/6/2022 5:21 PM, George Cornelius wrote:
> > My home Linux box has Libre Office, and some report writer functionality
> > had a dependency on log4j and it did not seem to be possible to remove
> > log4j without using some kind of --force-remove option, although I
> > suppose I could have just hidden the executable for that portion of
> > Libre Office.
> >
> > I see I have the log4j patch in now as part of a routine patch
> > application, but I don't believe it was there to begin with so I was
> > exposed for a few days.
> log4j is almost everywhere.
>
> But the attack vector in LO must be rather narrow compared to
> all the server applications.
>
> Arne
The trouble is that log4j is at such a low level, it is buried in packages that are
buried in other packages that are buried in even more packages. It might take a
while for all of that to be squeezed out.
More information about the Info-vax
mailing list