Significant security vulnerability discovered in Log4j
nils at breun.nl
Sun Dec 12 20:48:13 UTC 2021
Eric Gallager <egall at gwmail.gwu.edu> wrote:
> On Sun, Dec 12, 2021 at 4:57 AM Joshua Root <jmr at macports.org> wrote:
>> On 2021-12-12 20:02 , Nils Breunese wrote:
>>> It could be the case the MacPorts has ports for Java-based applications that include a vulnerable version of the Log4J library. A port that includes a file called log4j-$version.jar with $version in the range 2.0.0-2.14.1 could be vulnerable. This file could also be ‘hidden’ inside a compressed archive, like a .war file (basically a zip file). I’m not sure how we could check all ports for this without installing all of them.
>> Not all ports have installed file information available, but the web app
>> can search the ones that do:
>> - Josh
> Some other ports with log4j-related files that don't show up in this
> search: spring-framework25 +with_libs (from the 1.x series, so it's
> safe), slf4j (just docs, so it's safe), log4jdbc (also old, and
> possibly a spurious string match, so probably also safe), duck (1.x
> series, so it's safe), apache-ant (not seeing version info, I dunno),
> apache-geode (this one might actually need checking?),
> appengine-java-sdk (not sure), ghidra (this one looks vulnerable), poi
> (1.x series, so it's safe), webtoolkit-java-sdk (I dunno), zanata-cli
> (1.x series, so it's safe), and commons-logging (doesn't even build).
> I'll attach the output of `locate /opt/local/*log4j* | xargs port
> provides` to this email so you can see the same list I was looking at.
I said to look log4j-$version.jar earlier, but I should have said log4j-core-$version.jar.
In your list apache-solr8 and apache-geode contain vulnerable versions of Log4J 2.x.
More information about the macports-dev