Re: Remote code execution exploit found in Log4j -

How do you know if the jar sitting on your system is a threat or not? For example, say it's not being used today but someone installs a product tomorrow or enables a service that uses it? It would seem that the existence of the object at all in the "unfixed >> realm" would be a hit on the list of vulnerabilities? Right? I am assuming protocol demands removal of all unpatched copies, then comes my question, if we "find a few copies"
identifying what might use them seems challenging. Patching various products is not going to be a near-term option for a lot of us. Any ideas on a comprehensive approach? Overkill?
copied text "Any Log4J version prior to v2.15.0 is affected by this specific issue.

The version 1 branch of Log4J is vulnerable to other RCE attacks and should be updated."

I tried weeding through all the threads for all the active Java programs (we're a JDE Enterpriseone shop, and Java is used heavily by that product). I couldn't find it listed, so I fell back on just displaying the object attributes and looking at the Last Used data. For us, it doesn't seem to be related to E1, but to our restarting TCP/IP during BRMS saves at 1:xx in the morning.

By that same method, IBM hasn't updated this since 2011. <-- *I* *HAVE* *NO* *OPINION*.




_____________________________________________________________________
Spirax-Sarco Engineering Plc. This e-mail has been scanned for viruses by Cisco Cloud Email Security.