Significant security vulnerability discovered in Log4j
Nils Breunese
nils at breun.nl
Sun Dec 12 20:53:27 UTC 2021
Nils Breunese <nils at breun.nl> wrote:
> Eric Gallager <egall at gwmail.gwu.edu> wrote:
>
>> On Sun, Dec 12, 2021 at 4:57 AM Joshua Root <jmr at macports.org> wrote:
>>>
>>> On 2021-12-12 20:02 , Nils Breunese wrote:
>>>> It could be the case the MacPorts has ports for Java-based applications that include a vulnerable version of the Log4J library. A port that includes a file called log4j-$version.jar with $version in the range 2.0.0-2.14.1 could be vulnerable. This file could also be ‘hidden’ inside a compressed archive, like a .war file (basically a zip file). I’m not sure how we could check all ports for this without installing all of them.
>>>
>>> Not all ports have installed file information available, but the web app
>>> can search the ones that do:
>>>
>>> <https://ports.macports.org/search/?installed_file=log4j&q=>
>>>
>>> - Josh
>>
>> Some other ports with log4j-related files that don't show up in this
>> search: spring-framework25 +with_libs (from the 1.x series, so it's
>> safe), slf4j (just docs, so it's safe), log4jdbc (also old, and
>> possibly a spurious string match, so probably also safe), duck (1.x
>> series, so it's safe), apache-ant (not seeing version info, I dunno),
>> apache-geode (this one might actually need checking?),
>> appengine-java-sdk (not sure), ghidra (this one looks vulnerable), poi
>> (1.x series, so it's safe), webtoolkit-java-sdk (I dunno), zanata-cli
>> (1.x series, so it's safe), and commons-logging (doesn't even build).
>> I'll attach the output of `locate /opt/local/*log4j* | xargs port
>> provides` to this email so you can see the same list I was looking at.
>> <log4jfiles.txt>
>
> I said to look log4j-$version.jar earlier, but I should have said log4j-core-$version.jar.
>
> In your list apache-solr8 and apache-geode contain vulnerable versions of Log4J 2.x.
And ghidra indeed, sorry.
The version of Apache Geode in MacPorts (1.0.0-incubating) is also rather old. Version 1.14.1 of Apache Geode bumped its dependency on Log4J to 2.15.0, which is the fixed version: https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-1.14.1
Nils.
More information about the macports-dev
mailing list