Arne Vajhøj
2021-12-14 01:51:48 UTC
Java and log4j / log4shell (CVE-2021-44228) remote command execution
vulnerability
intro: https://www.lawfareblog.com/whats-deal-log4shell-security-nightmare
Base OpenVMS itself does not include Java, though add-on apps and
layered products can have dependencies and can install Java.
If you have Java installed anywhere on OpenVMS (try DIRECTORY
ddcu:[*...]JAVA*, etc), you will need to evaluate your configuration in
more detail.
You'll want to evaluate other components and services around your
servers, as well.
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592#file-20211210-tlp-white_log4j-md
Reportedly, all versions of Java are vulnerable when log4i is present
and reachable, and exploits are active and under development.
It appears there are efforts underway to create worms using this
vulnerability, as well.
"all versions of Java are vulnerable when log4j is present and reachable"vulnerability
intro: https://www.lawfareblog.com/whats-deal-log4shell-security-nightmare
Base OpenVMS itself does not include Java, though add-on apps and
layered products can have dependencies and can install Java.
If you have Java installed anywhere on OpenVMS (try DIRECTORY
ddcu:[*...]JAVA*, etc), you will need to evaluate your configuration in
more detail.
You'll want to evaluate other components and services around your
servers, as well.
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592#file-20211210-tlp-white_log4j-md
Reportedly, all versions of Java are vulnerable when log4i is present
and reachable, and exploits are active and under development.
It appears there are efforts underway to create worms using this
vulnerability, as well.
is a funny description.
It is a vulnerability for all running Java applications using
log4j 2.0 - 2.14.1 that logs user input.
That is serious. A very large portion of Java server applications
(think 50% magnitude!) use log4j and it seems likely that most of
them have potential for logging user input (user input is important
when troubleshooting).
The version of Java does not impact a bug in log4j more than
the version of C compiler impact a buffer overrun in a C library.
Note that log4j 2.x does not run on VMS Alpha due to too old Java
version (2.0 - 2.3 requires Java 6, 2.4 - 2.12.1 requires Java 7 and
2.13 and newer requires Java 8).
And log4j 1.x is not vulnerable to this bug. But it is out of
support and has other vulnerabilities, so it is not a good
version to be on.
But anybody running a Java application on Itanium that uses
log4j 2.x better upgrade to 2.15 or newer (latest as of today
is 2.16).
To check:
$ dir [whereever...]log4j-core-2.*.jar
should reveal any log4j 2.x present ion that tree.
Every system manager would (hopefully) know whether Java
is installed or not - but very few will know offhand
which applications use log4j, so you better check!!
Arne