Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

To err is human, to moo bovine.

computers / comp.os.vms / Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228

SubjectAuthor
* Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Stephen Hoffman
+* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|+- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|+- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Dennis Boone
|+* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Craig A. Berry
||+- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
||`* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Stephen Hoffman
|| +* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|| |`* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Craig A. Berry
|| | `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|| |  `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Simon Clubley
|| |   +- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Bill Gunshannon
|| |   `- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|| `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
||  +* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Jim
||  |`* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228, CVE-2021-45046Stephen Hoffman
||  | `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228,Arne Vajhøj
||  |  `- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228,Arne Vajhøj
||  `- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Simon Clubley
|`* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Bill Gunshannon
| `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Dave Froble
|  `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Bill Gunshannon
|   `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228David Turner
|    +- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228, CVE-2021-45046Stephen Hoffman
|    `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|     `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228David Turner
|      +- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|      `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Stephen Hoffman
|       `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228David Turner
|        +- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|        +* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Dennis Boone
|        |`- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Simon Clubley
|        +- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Stephen Hoffman
|        +- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Phillip Helbig (undress to reply
|        `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Bill Gunshannon
|         `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228David Turner
|          +* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Craig A. Berry
|          |+* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|          ||`* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|          || `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Simon Clubley
|          ||  `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|          ||   `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Simon Clubley
|          ||    `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|          ||     `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Simon Clubley
|          ||      `- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|          |`- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Stephen Hoffman
|          `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228George Cornelius
|           `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|            `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228John Reagan
|             +- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|             +* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Grant Taylor
|             |+- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
|             |`- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228John Reagan
|             `* Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Phillip Helbig (undress to reply
|              `- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Arne Vajhøj
`- Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228Steven Schweda

Pages:123
Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228

<61d7945c$0$694$14726298@news.sunsite.dk>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=19907&group=comp.os.vms#19907

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!aioe.org!feeder1.feed.usenet.farm!feed.usenet.farm!feeder.usenetexpress.com!tr3.eu1.usenetexpress.com!news.uzoreto.com!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail
Date: Thu, 6 Jan 2022 20:16:08 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.4.1
Subject: Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Content-Language: en-US
Newsgroups: comp.os.vms
References: <sp8cvo$6dt$1@dont-email.me> <61b7f8b8$0$697$14726298@news.sunsite.dk> <spakek$d18$1@dont-email.me> <K7ydnRi5qLlfxiT8nZ2dnUU7-TWdnZ2d@supernews.com> <61ba084e$0$694$14726298@news.sunsite.dk> <r_6dnaol3cmDtif8nZ2dnUU7-XmdnZ2d@supernews.com> <spdcdm$cap$1@dont-email.me> <r_6dnaUl3cmipyf8nZ2dnUU7-XmdnZ2d@supernews.com> <j1vcegFtpe0U1@mid.individual.net> <EYydnQro9-_9Pyf8nZ2dnUU7-KednZ2d@supernews.com> <sr7q1o$bkl$1@gioia.aioe.org> <61d78151$0$699$14726298@news.sunsite.dk> <d35895fe-9cfe-42c8-a564-4a8aacf74a6fn@googlegroups.com>
From: arn...@vajhoej.dk (Arne Vajhøj)
In-Reply-To: <d35895fe-9cfe-42c8-a564-4a8aacf74a6fn@googlegroups.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Lines: 14
Message-ID: <61d7945c$0$694$14726298@news.sunsite.dk>
Organization: SunSITE.dk - Supporting Open source
NNTP-Posting-Host: c9dcfccc.news.sunsite.dk
X-Trace: 1641518172 news.sunsite.dk 694 arne@vajhoej.dk/68.9.63.232:49385
X-Complaints-To: staff@sunsite.dk
 by: Arne Vajhøj - Fri, 7 Jan 2022 01:16 UTC

On 1/6/2022 8:02 PM, John Reagan wrote:
> The trouble is that log4j is at such a low level, it is buried in packages that are
> buried in other packages that are buried in even more packages. It might take a
> while for all of that to be squeezed out.

Yep.

A large portion of impacted users do not know that they are using log4j.

Heck - some of them may not even know they are using Java.

Arne

Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228

<sr8alk$dg2$1@tncsrv09.home.tnetconsulting.net>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=19909&group=comp.os.vms#19909

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.vms
Subject: Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Date: Thu, 6 Jan 2022 20:05:24 -0700
Organization: TNet Consulting
Message-ID: <sr8alk$dg2$1@tncsrv09.home.tnetconsulting.net>
References: <sp8cvo$6dt$1@dont-email.me>
<61b7f8b8$0$697$14726298@news.sunsite.dk> <spakek$d18$1@dont-email.me>
<K7ydnRi5qLlfxiT8nZ2dnUU7-TWdnZ2d@supernews.com>
<61ba084e$0$694$14726298@news.sunsite.dk>
<r_6dnaol3cmDtif8nZ2dnUU7-XmdnZ2d@supernews.com> <spdcdm$cap$1@dont-email.me>
<r_6dnaUl3cmipyf8nZ2dnUU7-XmdnZ2d@supernews.com>
<j1vcegFtpe0U1@mid.individual.net>
<EYydnQro9-_9Pyf8nZ2dnUU7-KednZ2d@supernews.com>
<sr7q1o$bkl$1@gioia.aioe.org> <61d78151$0$699$14726298@news.sunsite.dk>
<d35895fe-9cfe-42c8-a564-4a8aacf74a6fn@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 7 Jan 2022 03:05:24 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="13826"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <d35895fe-9cfe-42c8-a564-4a8aacf74a6fn@googlegroups.com>
Content-Language: en-US
 by: Grant Taylor - Fri, 7 Jan 2022 03:05 UTC

On 1/6/22 6:02 PM, John Reagan wrote:
> The trouble is that log4j is at such a low level, it is buried in
> packages that are buried in other packages that are buried in even more
> packages. It might take a while for all of that to be squeezed out.

Purportedly Google's Project Zero put out a report (though I'm having
trouble finding it) wherein they did a massive analysis of Java packages
and found that Log4j was included as a dependency up to eight levels of
nesting.

Steve Gibson talked about it extensively on Security Now 850 from
December 21st 2021.

You can find a histogram in the show notes for SN 850 on file page 12
numbered page 11:

Link - Security Now 850 Show Notes
- https://www.grc.com/sn/sn-850-notes.pdf

--
Grant. . . .
unix || die

Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228

<sr8s8l$1v27$1@gioia.aioe.org>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=19910&group=comp.os.vms#19910

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!aioe.org!AiOkAW8+nc+8d0V6bSRVGA.user.46.165.242.75.POSTED!not-for-mail
From: hel...@asclothestro.multivax.de (Phillip Helbig (undress to reply)
Newsgroups: comp.os.vms
Subject: Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Date: Fri, 7 Jan 2022 08:05:41 -0000 (UTC)
Organization: Multivax C&R
Message-ID: <sr8s8l$1v27$1@gioia.aioe.org>
References: <sp8cvo$6dt$1@dont-email.me> <61b7f8b8$0$697$14726298@news.sunsite.dk> <spakek$d18$1@dont-email.me> <K7ydnRi5qLlfxiT8nZ2dnUU7-TWdnZ2d@supernews.com> <61ba084e$0$694$14726298@news.sunsite.dk> <r_6dnaol3cmDtif8nZ2dnUU7-XmdnZ2d@supernews.com> <spdcdm$cap$1@dont-email.me> <r_6dnaUl3cmipyf8nZ2dnUU7-XmdnZ2d@supernews.com> <j1vcegFtpe0U1@mid.individual.net> <EYydnQro9-_9Pyf8nZ2dnUU7-KednZ2d@supernews.com> <sr7q1o$bkl$1@gioia.aioe.org> <61d78151$0$699$14726298@news.sunsite.dk> <d35895fe-9cfe-42c8-a564-4a8aacf74a6fn@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 8bit
Injection-Info: gioia.aioe.org; logging-data="64583"; posting-host="AiOkAW8+nc+8d0V6bSRVGA.user.gioia.aioe.org"; mail-complaints-to="abuse@aioe.org";
X-Notice: Filtered by postfilter v. 0.9.2
 by: Phillip Helbig (undr - Fri, 7 Jan 2022 08:05 UTC

In article <61d7945c$0$694$14726298@news.sunsite.dk>,
=?UTF-8?Q?Arne_Vajh=c3=b8j?= <arne@vajhoej.dk> writes:

> On 1/6/2022 8:02 PM, John Reagan wrote:
> > The trouble is that log4j is at such a low level, it is buried in packages that are
> > buried in other packages that are buried in even more packages. It might take a
> > while for all of that to be squeezed out.
>
> Yep.
>
> A large portion of impacted users do not know that they are using log4j.
>
> Heck - some of them may not even know they are using Java.

Some might not even know that they are using a computer. :-)

Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228

<61d84a60$0$698$14726298@news.sunsite.dk>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=19912&group=comp.os.vms#19912

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!aioe.org!news.uzoreto.com!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail
Date: Fri, 7 Jan 2022 09:12:44 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.4.1
Subject: Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Content-Language: en-US
Newsgroups: comp.os.vms
References: <sp8cvo$6dt$1@dont-email.me>
<61b7f8b8$0$697$14726298@news.sunsite.dk> <spakek$d18$1@dont-email.me>
<K7ydnRi5qLlfxiT8nZ2dnUU7-TWdnZ2d@supernews.com>
<61ba084e$0$694$14726298@news.sunsite.dk>
<r_6dnaol3cmDtif8nZ2dnUU7-XmdnZ2d@supernews.com> <spdcdm$cap$1@dont-email.me>
<r_6dnaUl3cmipyf8nZ2dnUU7-XmdnZ2d@supernews.com>
<j1vcegFtpe0U1@mid.individual.net>
<EYydnQro9-_9Pyf8nZ2dnUU7-KednZ2d@supernews.com>
<sr7q1o$bkl$1@gioia.aioe.org> <61d78151$0$699$14726298@news.sunsite.dk>
<d35895fe-9cfe-42c8-a564-4a8aacf74a6fn@googlegroups.com>
<sr8s8l$1v27$1@gioia.aioe.org>
From: arn...@vajhoej.dk (Arne Vajhøj)
In-Reply-To: <sr8s8l$1v27$1@gioia.aioe.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Lines: 23
Message-ID: <61d84a60$0$698$14726298@news.sunsite.dk>
Organization: SunSITE.dk - Supporting Open source
NNTP-Posting-Host: 6bfa7676.news.sunsite.dk
X-Trace: 1641564768 news.sunsite.dk 698 arne@vajhoej.dk/68.9.63.232:52362
X-Complaints-To: staff@sunsite.dk
 by: Arne Vajhøj - Fri, 7 Jan 2022 14:12 UTC

On 1/7/2022 3:05 AM, Phillip Helbig (undress to reply) wrote:
> In article <61d7945c$0$694$14726298@news.sunsite.dk>,
> =?UTF-8?Q?Arne_Vajh=c3=b8j?= <arne@vajhoej.dk> writes:
>
>> On 1/6/2022 8:02 PM, John Reagan wrote:
>>> The trouble is that log4j is at such a low level, it is buried in packages that are
>>> buried in other packages that are buried in even more packages. It might take a
>>> while for all of that to be squeezed out.
>>
>> Yep.
>>
>> A large portion of impacted users do not know that they are using log4j.
>>
>> Heck - some of them may not even know they are using Java.
>
> Some might not even know that they are using a computer. :-)

For the cases I was thinking about - storage systems running some
management software - then they would know they were using a computer.

Arne

Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228

<61d84b8f$0$698$14726298@news.sunsite.dk>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=19913&group=comp.os.vms#19913

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!aioe.org!news.uzoreto.com!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail
Date: Fri, 7 Jan 2022 09:17:41 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.4.1
Subject: Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
Content-Language: en-US
Newsgroups: comp.os.vms
References: <sp8cvo$6dt$1@dont-email.me>
<61b7f8b8$0$697$14726298@news.sunsite.dk> <spakek$d18$1@dont-email.me>
<K7ydnRi5qLlfxiT8nZ2dnUU7-TWdnZ2d@supernews.com>
<61ba084e$0$694$14726298@news.sunsite.dk>
<r_6dnaol3cmDtif8nZ2dnUU7-XmdnZ2d@supernews.com> <spdcdm$cap$1@dont-email.me>
<r_6dnaUl3cmipyf8nZ2dnUU7-XmdnZ2d@supernews.com>
<j1vcegFtpe0U1@mid.individual.net>
<EYydnQro9-_9Pyf8nZ2dnUU7-KednZ2d@supernews.com>
<sr7q1o$bkl$1@gioia.aioe.org> <61d78151$0$699$14726298@news.sunsite.dk>
<d35895fe-9cfe-42c8-a564-4a8aacf74a6fn@googlegroups.com>
<sr8alk$dg2$1@tncsrv09.home.tnetconsulting.net>
From: arn...@vajhoej.dk (Arne Vajhøj)
In-Reply-To: <sr8alk$dg2$1@tncsrv09.home.tnetconsulting.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Lines: 33
Message-ID: <61d84b8f$0$698$14726298@news.sunsite.dk>
Organization: SunSITE.dk - Supporting Open source
NNTP-Posting-Host: 6bfa7676.news.sunsite.dk
X-Trace: 1641565071 news.sunsite.dk 698 arne@vajhoej.dk/68.9.63.232:52664
X-Complaints-To: staff@sunsite.dk
 by: Arne Vajhøj - Fri, 7 Jan 2022 14:17 UTC

On 1/6/2022 10:05 PM, Grant Taylor wrote:
> On 1/6/22 6:02 PM, John Reagan wrote:
>> The trouble is that log4j is at such a low level, it is buried in
>> packages that are buried in other packages that are buried in even
>> more packages.  It might take a while for all of that to be squeezed out.
>
> Purportedly Google's Project Zero put out a report (though I'm having
> trouble finding it) wherein they did a massive analysis of Java packages
> and found that Log4j was included as a dependency up to eight levels of
> nesting.
>
> Steve Gibson talked about it extensively on Security Now 850 from
> December 21st 2021.
>
> You can find a histogram in the show notes for SN 850 on file page 12
> numbered page 11:
>
> Link - Security Now 850 Show Notes
>  - https://www.grc.com/sn/sn-850-notes.pdf

Yes.

That is the curse of modern package managers. You include
a handful of things and that causes dozens/hundreds/thousands
of dependencies and dependencies of dependencies and ...
to be pulled in.

Java got maven, .NET got NuGet, PHP got composer, Python
got pip, JS got npm and so on (there are many other but the
above should illustrate).

Arne

Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228

<d268ad4d-5e0b-438f-b57d-027da73f5e47n@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=19914&group=comp.os.vms#19914

  copy link   Newsgroups: comp.os.vms
X-Received: by 2002:a05:6214:2349:: with SMTP id hu9mr13617411qvb.93.1641568696088;
Fri, 07 Jan 2022 07:18:16 -0800 (PST)
X-Received: by 2002:a05:622a:1103:: with SMTP id e3mr56821376qty.378.1641568695819;
Fri, 07 Jan 2022 07:18:15 -0800 (PST)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.os.vms
Date: Fri, 7 Jan 2022 07:18:15 -0800 (PST)
In-Reply-To: <sr8alk$dg2$1@tncsrv09.home.tnetconsulting.net>
Injection-Info: google-groups.googlegroups.com; posting-host=73.60.222.222; posting-account=M3IgSwoAAADJd6EnOmsrCCfB6_OyTOkv
NNTP-Posting-Host: 73.60.222.222
References: <sp8cvo$6dt$1@dont-email.me> <61b7f8b8$0$697$14726298@news.sunsite.dk>
<spakek$d18$1@dont-email.me> <K7ydnRi5qLlfxiT8nZ2dnUU7-TWdnZ2d@supernews.com>
<61ba084e$0$694$14726298@news.sunsite.dk> <r_6dnaol3cmDtif8nZ2dnUU7-XmdnZ2d@supernews.com>
<spdcdm$cap$1@dont-email.me> <r_6dnaUl3cmipyf8nZ2dnUU7-XmdnZ2d@supernews.com>
<j1vcegFtpe0U1@mid.individual.net> <EYydnQro9-_9Pyf8nZ2dnUU7-KednZ2d@supernews.com>
<sr7q1o$bkl$1@gioia.aioe.org> <61d78151$0$699$14726298@news.sunsite.dk>
<d35895fe-9cfe-42c8-a564-4a8aacf74a6fn@googlegroups.com> <sr8alk$dg2$1@tncsrv09.home.tnetconsulting.net>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <d268ad4d-5e0b-438f-b57d-027da73f5e47n@googlegroups.com>
Subject: Re: Java, log4j, log4shell, and OpenVMS: CVE-2021-44228
From: xyzzy1...@gmail.com (John Reagan)
Injection-Date: Fri, 07 Jan 2022 15:18:16 +0000
Content-Type: text/plain; charset="UTF-8"
Lines: 25
 by: John Reagan - Fri, 7 Jan 2022 15:18 UTC

On Thursday, January 6, 2022 at 10:05:31 PM UTC-5, Grant Taylor wrote:
> On 1/6/22 6:02 PM, John Reagan wrote:
> > The trouble is that log4j is at such a low level, it is buried in
> > packages that are buried in other packages that are buried in even more
> > packages. It might take a while for all of that to be squeezed out.
> Purportedly Google's Project Zero put out a report (though I'm having
> trouble finding it) wherein they did a massive analysis of Java packages
> and found that Log4j was included as a dependency up to eight levels of
> nesting.
>
> Steve Gibson talked about it extensively on Security Now 850 from
> December 21st 2021.
>
> You can find a histogram in the show notes for SN 850 on file page 12
> numbered page 11:
>
> Link - Security Now 850 Show Notes
> - https://www.grc.com/sn/sn-850-notes.pdf
>
>
>
> --
> Grant. . . .
> unix || die
Yes, that's where I got my info. I listen to SN (and other podcasts) while I'm working.
I often find myself talking back to Steve/Leo without realizing it (I need real friends, eh?)

Pages:123
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor