On 12/12/21 6:37 am, Attila Fogarasi wrote:
not so difficult on z/OS (and there is log4j usage on z/OS but unclear that RCE can do much harm on a properly secured z/OS system -- this will vary by what application is using the log4j library).
Fingers crossed! The truth is almost no mainframe network (worth its salt) is visible to outside world. But that doesn't stop the public servers being compromised.
A quick fix if you are unable to update to the patched version is to use the following Java property:
‐Dlog4j2.formatMsgNoLookups=True ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
