Significant security vulnerability discovered in Log4j

Nils Breunese nils at breun.nl
Sun Dec 12 09:02:01 UTC 2021 

Eric Gallager wrote:

> On Fri, Dec 10, 2021 at 6:00 PM Jason Liu <jasonliu at umich.edu> wrote:
>> 
>> In case everyone hadn't heard the news. If anyone is running Log4j for logging on any of your web servers, you might want to read this.
>> 
>> WIRED: 'The Internet Is On Fire'
>> A vulnerability in the Log4j logging framework has security teams scrambling to put in a fix.
>> 
>> --
>> Jason Liu
> 
> so... is there anything to do about this in MacPorts?
> 
> $ port search log4j
> jakarta-log4j @1.2.16 (java, devel)
>    Java logging API
> 
> log4cxx @0.10.0_1 (devel)
>    log4cxx is a port to C++ of the log4j project
> 
> log4jdbc @1.1 (java)
>    JDBC driver that can log SQL and/or JDBC calls
> 
> p5-log-dispatch-config @1.40.0 (perl)
>    Log::Dispatch::Config - Log4j for Perl
> 
> p5-log-log4perl @1.540.0 (perl)
>    Log4j implementation for Perl
> 
> p5.28-log-dispatch-config @1.40.0 (perl)
>    Log::Dispatch::Config - Log4j for Perl
> 
> p5.28-log-log4perl @1.540.0 (perl)
>    Log4j implementation for Perl
> 
> p5.30-log-dispatch-config @1.40.0 (perl)
>    Log::Dispatch::Config - Log4j for Perl
> 
> p5.30-log-log4perl @1.540.0 (perl)
>    Log4j implementation for Perl
> 
> p5.32-log-dispatch-config @1.40.0 (perl)
>    Log::Dispatch::Config - Log4j for Perl
> 
> p5.32-log-log4perl @1.540.0 (perl)
>    Log4j implementation for Perl
> 
> Found 11 ports.
> $ port installed `port -q search log4j`
> The following ports are currently installed:
>  jakarta-log4j @1.2.16_0 (active)
>  log4jdbc @1.1_0 (active)
>  p5.28-log-log4perl @1.540.0_0 (active)
>  p5.30-log-log4perl @1.540.0_0 (active)
>  p5.32-log-log4perl @1.540.0_0 (active)
> $
> 
> ...I don't think any of these are the same thing, are they?

I’m a Java developer and MacPorts OpenJDK maintainer and to me none of these ports look related to Log4J 2.x, which is the vulnerable library.

It could be the case the MacPorts has ports for Java-based applications that include a vulnerable version of the Log4J library. A port that includes a file called log4j-$version.jar with $version in the range 2.0.0-2.14.1 could be vulnerable. This file could also be ‘hidden’ inside a compressed archive, like a .war file (basically a zip file). I’m not sure how we could check all ports for this without installing all of them.

Nils.

More information about the macports-dev mailing list