[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Grant Taylor
gtaylor at tnetconsulting.net
Thu Jan 6 22:05:24 EST 2022
On 1/6/22 6:02 PM, John Reagan wrote:
> The trouble is that log4j is at such a low level, it is buried in
> packages that are buried in other packages that are buried in even more
> packages. It might take a while for all of that to be squeezed out.
Purportedly Google's Project Zero put out a report (though I'm having
trouble finding it) wherein they did a massive analysis of Java packages
and found that Log4j was included as a dependency up to eight levels of
nesting.
Steve Gibson talked about it extensively on Security Now 850 from
December 21st 2021.
You can find a histogram in the show notes for SN 850 on file page 12
numbered page 11:
Link - Security Now 850 Show Notes
- https://www.grc.com/sn/sn-850-notes.pdf
--
Grant. . . .
unix || die
More information about the Info-vax
mailing list