The french announcement mentions this: "In general, it seems that the use of a J... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

lolive on Dec 12, 2021 | parent | context | favorite | on: CISA Director on Log4j Vulnerability

The french announcement mentions this: "In general, it seems that the use of a Java runtime environment in version 8u121 or later makes it possible to guard against the main attack vector mentioned by the researchers behind the discovery."

Is it correct?

https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/

cesarb on Dec 12, 2021 [–]

As has been commented several times on other threads here on HN, a new enough Java only protects against one kind of exploit (directly loading arbitrary bytecode) but not others (serialization tricks to execute arbitrary function calls, or data exfiltration).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact