[Info-vax] Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
John Reagan
xyzzy1959 at gmail.com
Fri Jan 7 10:18:15 EST 2022
On Thursday, January 6, 2022 at 10:05:31 PM UTC-5, Grant Taylor wrote:
> On 1/6/22 6:02 PM, John Reagan wrote:
> > The trouble is that log4j is at such a low level, it is buried in
> > packages that are buried in other packages that are buried in even more
> > packages. It might take a while for all of that to be squeezed out.
> Purportedly Google's Project Zero put out a report (though I'm having
> trouble finding it) wherein they did a massive analysis of Java packages
> and found that Log4j was included as a dependency up to eight levels of
> nesting.
>
> Steve Gibson talked about it extensively on Security Now 850 from
> December 21st 2021.
>
> You can find a histogram in the show notes for SN 850 on file page 12
> numbered page 11:
>
> Link - Security Now 850 Show Notes
> - https://www.grc.com/sn/sn-850-notes.pdf
>
>
>
> --
> Grant. . . .
> unix || die
Yes, that's where I got my info. I listen to SN (and other podcasts) while I'm working.
I often find myself talking back to Steve/Leo without realizing it (I need real friends, eh?)
More information about the Info-vax
mailing list