How do you know if the jar sitting on your system is a threat or not? For example, say it's not being used today but someone installs a product tomorrow or enables a service that uses it? It would seem that the existence of the object at all in the "unfixed >> realm" would be a hit on the list of vulnerabilities? Right? I am assuming protocol demands removal of all unpatched copies, then comes my question, if we "find a few copies"
identifying what might use them seems challenging. Patching various products is not going to be a near-term option for a lot of us. Any ideas on a comprehensive approach? Overkill?
copied text "Any Log4J version prior to v2.15.0 is affected by this specific issue.

The version 1 branch of Log4J is vulnerable to other RCE attacks and should be updated."

I tried weeding through all the threads for all the active Java programs (we're a JDE Enterpriseone shop, and Java is used heavily by that product). I couldn't find it listed, so I fell back on just displaying the object attributes and looking at the Last Used data. For us, it doesn't seem to be related to E1, but to our restarting TCP/IP during BRMS saves at 1:xx in the morning.

By that same method, IBM hasn't updated this since 2011. <-- *I* *HAVE* *NO* *OPINION*.

Spirax-Sarco Engineering Plc. This e-mail has been scanned for viruses by Cisco Cloud Email Security.

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.