[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
DeanW
dean.woodward at gmail.com
Thu Jan 6 20:33:25 EST 2022
On Thu, Jan 6, 2022 at 5:20 PM John Reagan via Info-vax <info-vax at rbnsn.com>
wrote:
> On Thursday, January 6, 2022 at 6:54:59 PM UTC-5, Arne Vajhøj wrote:
> > log4j is almost everywhere.
> >
> > But the attack vector in LO must be rather narrow compared to
> > all the server applications.
>
The attack surface is even bigger and less well protected.
> > Arne
> The trouble is that log4j is at such a low level, it is buried in packages
> that are
> buried in other packages that are buried in even more packages. It might
> take a
> while for all of that to be squeezed out.
>
Bingo. Doesn't matter that none of them were using this mis-feature because
it's enabled by default so unless your team made the conscious decision to
remove it, you're vulnerable.
I would hope the Open Source community learns from this, but I am an
optimist...
More information about the Info-vax
mailing list