How do you know if the jar sitting on your system is a threat or not? For example, say it's not being used today but someone installs a product tomorrow or enables a service that uses it? It would seem that the existence of the object at all in the "unfixed >> realm" would be a hit on the list of vulnerabilities? Right? I am assuming protocol demands removal of all unpatched copies, then comes my question, if we "find a few copies"
identifying what might use them seems challenging. Patching various products is not going to be a near-term option for a lot of us. Any ideas on a comprehensive approach? Overkill?
copied text "Any Log4J version prior to v2.15.0 is affected by this specific issue.
The version 1 branch of Log4J is vulnerable to other RCE attacks and should be updated."
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.