For those curious, log4j is widely used for logging application errors, hence why it is so widespread. Apache has already released a fix (and several alternatives to mitigate the effect), see https://logging.apache.org/log4j/2.x/security.html ... Very serious vulnerability as it allows Remote Code Execution on the targeted server, and is already being actively exploited worldwide. The challenge now is to deploy the fixes -- not so difficult on z/OS (and there is log4j usage on z/OS but unclear that RCE can do much harm on a properly secured z/OS system -- this will vary by what application is using the log4j library). Cloud could be brought to its knees. There is a rumour that an electrical network was minutes away from being shutdown (nationwide blackout) from this exploitation (no mainframes involved).
On Sun, Dec 12, 2021 at 5:00 AM David Crayford <[email protected]> wrote: > It’s a stinker and it’s going to affect 10s of millions applications. > > > On 12 Dec 2021, at 00:24, Jousma, David < > [email protected]> wrote: > > > > Looks like a bad one... > > > > > > https://www.lunasec.io/docs/blog/log4j-zero-day/ > > > > > > > > Dave Jousma > > > > Vice President | Director, Technology Engineering > > > > > > Fifth Third Bank | 1830 East Paris Ave, SE | MD RSCB2H | Grand > Rapids, MI 49546 > > > > 616.653.8429<tel:+16166538429> > > > > > > > > This e-mail transmission contains information that is confidential and > may be privileged. > > It is intended only for the addressee(s) named above. If you receive > this e-mail in error, > > please do not read, copy or disseminate it in any manner. If you are > not the intended > > recipient, any disclosure, copying, distribution or use of the contents > of this information > > is prohibited. Please reply to the message immediately by informing the > sender that the > > message was misdirected. After replying, please erase it from your > computer system. Your > > assistance in correcting this error is appreciated. > > > > > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
