With log4j there's a public blog page with two lists: #1 shows products
not affected, and #2 shows products remediated (with links to more info).
If something is not in either list, that could mean it's still being
evaluated, or (more likely?) in the category you mentioned - never
published publicly. In that case the Security Portal is the only way to
get further direct information. How to get vetted for that I have no
idea. I've tried a couple of times with no luck - not even a reply.
Maybe it's like the Masons, "...each candidate must be free and of good
repute".
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
On 2/13/2022 7:30 AM, Ed Jaffe wrote:
On 2/13/2022 7:18 AM, Seymour J Metz wrote:
The (somewhat simplified) way that IBM handles this for z/OS is via
hold data and customer notification of security fixes. IMHO that works
well.
Disclosed to customers only via a secure channel that limits exposure to
a select list of vetted employees with a need to know.
Never published publicly in any way, shape or form.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
