Thanks for putting it into practical terms.  I wish it was that black and white 
though.
I don’t really know how much JNDI is used any more. When I learned Java JNDI 
was 
the standard way to access LDAP.  So I can easily imagine that there are 
configurations 
out there that are retrieving some passwords from it to access something from 
the 
logging configuration completely unaware that they may already have be 
compromised.

But how many are there that are doing that? Less than 1%?  What is worse, is 
that the 
fix will no longer allow them to access LDAP that way so many of those who this 
fix is 
meant to protect won’t upgrade.

Still, I have to agree that it wasn’t safe to allow users to access LDAP (as 
well as other 
protocols) this way and users needed to be informed. 

Ralph



> On Dec 30, 2021, at 10:01 AM, Julius Davies <juliusdav...@gmail.com> wrote:
> 
> Hello,
> 
> Long time lurker here.
> 
> There are probably tens of thousands of CVEs in the NVD that are
> theoretically exploitable, but in practice will never be exploited. I
> wouldn't take things people say on twitter too seriously when it comes to
> determining CVE-worthiness.
> 
> I mainly think of the CVE system as a way to boost and amplify
> communication around patch releases, and to help convey to the public the
> importance of taking a given update.
> 
> If the log4j team agreed that it's not safe for consumers of Log4J to
> remain on 2.17.0, then the CVE was appropriate, no matter what anyone else
> thinks.
> 
> 
> yours,
> 
> Julius
> 
> 
> 
> On Thu, Dec 30, 2021 at 8:46 AM Ralph Goers <ralph.go...@dslextreme.com>
> wrote:
> 
>> I have no objection to this but it obviously has to be done on the private
>> list.
>> 
>> I happen to disagree with your assessment of 44832. As far as I am
>> concerned any
>> uncontrolled use of JNDI requires a CVE. People don’t seem to understand
>> just how
>> bad it is. Any design that lets you download code from a random web server
>> that then
>> runs in your JVM is a disaster, and that is exactly the way JNDI/LDAP
>> works.
>> 
>> Ralph
>> 
>>> On Dec 30, 2021, at 2:02 AM, Volkan Yazıcı <vol...@yazi.ci> wrote:
>>> 
>>> Hello,
>>> 
>>> The recent CVE-2021-44832 has been subject to quite some debate whether
>> it
>>> was CVE-worthy or not. I think that one had far fetched assumptions and
>>> could very well be addressed in a patch release, just like we did, but
>>> without a CVE associated with it. The created CVE caused yet another wave
>>> of FUD surrounding the project. I can imagine millions of deployments all
>>> around the world were marked as flagged by monitoring tools and people
>>> rushed to upgrade in panic, most likely, for no reason. I put aside the
>>> damage CVEs cause on the reputation of the project.
>>> 
>>> I am told by secur...@apache.org that what is CVE-worthy is up to the
>> PMC. *I
>>> propose creating a VOTE thread for the CVE creation from now on.* I would
>>> appreciate it if others can share their thoughts on this. If the overall
>>> reception is positive, I will send a VOTE email to make this official.
>>> 
>>> Kind regards.
>> 
>> 

Reply via email to