The deprecation JEP has some discussion of why it was deprecated: https://openjd... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		fulafel on Nov 22, 2022 \| parent \| context \| favorite \| on: Why CVE-2022-3602 was not detected by fuzz testing The deprecation JEP has some discussion of why it was deprecated: https://openjdk.org/jeps/411 "The threat of accidental vulnerabilities in local code is almost impossible to address with the Security Manager. Many of the claims that the Security Manager is widely used to secure local code do not stand up to scrutiny; it is used far less in production than many people assume. There are many reasons for its lack of use: [...]" Would be interesting to know if there were other cases besides ElasticSearch that were protected from log4j by JSM.

pjmlp on Nov 22, 2022 [–]

.NET also dropped CAS during the Core rewrite, with similar reasoning.

Which is a pity, but unfortunely capability based systems still seem to have a problem for the common developer to properly configure them.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact