On 13/12/21 6:57 am, Andrew Rowley wrote:
On 12/12/2021 1:20 pm, David Crayford wrote:
Fingers crossed! The truth is almost no mainframe network (worth its
salt) is visible to outside world. But that doesn't stop the public
servers being compromised.
A quick fix if you are unable to update to the patched version is to
use the following Java property:
‐Dlog4j2.formatMsgNoLookups=True
It seems slightly unfair to call this a Java vulnerability. It's a
vulnerability in a package written in Java (albeit widely used). If
this is a Java vulnerability, how many C/C++ or even assembler
vulnerabilities have we seen?
Agreed. Although Java itself does have security vulnerabilities and
patches are released frequently. It's critical to stay up to date with
service https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities
Our product has a Java Spring Boot component and we were just about to
ship a PTF when this happened. Log4j is in the CoO so questions were
asked but we don't use it, but it's on the classpath.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
