[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Arne Vajhøj
arne at vajhoej.dk
Fri Jan 7 09:17:41 EST 2022
On 1/6/2022 10:05 PM, Grant Taylor wrote:
> On 1/6/22 6:02 PM, John Reagan wrote:
>> The trouble is that log4j is at such a low level, it is buried in
>> packages that are buried in other packages that are buried in even
>> more packages. It might take a while for all of that to be squeezed out.
>
> Purportedly Google's Project Zero put out a report (though I'm having
> trouble finding it) wherein they did a massive analysis of Java packages
> and found that Log4j was included as a dependency up to eight levels of
> nesting.
>
> Steve Gibson talked about it extensively on Security Now 850 from
> December 21st 2021.
>
> You can find a histogram in the show notes for SN 850 on file page 12
> numbered page 11:
>
> Link - Security Now 850 Show Notes
> - https://www.grc.com/sn/sn-850-notes.pdf
Yes.
That is the curse of modern package managers. You include
a handful of things and that causes dozens/hundreds/thousands
of dependencies and dependencies of dependencies and ...
to be pulled in.
Java got maven, .NET got NuGet, PHP got composer, Python
got pip, JS got npm and so on (there are many other but the
above should illustrate).
Arne
More information about the Info-vax
mailing list