Significant security vulnerability discovered in Log4j
Eric Gallager
egall at gwmail.gwu.edu
Sun Dec 12 22:37:00 UTC 2021
On Sun, Dec 12, 2021 at 3:53 PM Nils Breunese <nils at breun.nl> wrote:
>
> Nils Breunese <nils at breun.nl> wrote:
>
> > Eric Gallager <egall at gwmail.gwu.edu> wrote:
> >
> >> On Sun, Dec 12, 2021 at 4:57 AM Joshua Root <jmr at macports.org> wrote:
> >>>
> >>> On 2021-12-12 20:02 , Nils Breunese wrote:
> >>>> It could be the case the MacPorts has ports for Java-based applications that include a vulnerable version of the Log4J library. A port that includes a file called log4j-$version.jar with $version in the range 2.0.0-2.14.1 could be vulnerable. This file could also be ‘hidden’ inside a compressed archive, like a .war file (basically a zip file). I’m not sure how we could check all ports for this without installing all of them.
> >>>
> >>> Not all ports have installed file information available, but the web app
> >>> can search the ones that do:
> >>>
> >>> <https://ports.macports.org/search/?installed_file=log4j&q=>
> >>>
> >>> - Josh
> >>
> >> Some other ports with log4j-related files that don't show up in this
> >> search: spring-framework25 +with_libs (from the 1.x series, so it's
> >> safe), slf4j (just docs, so it's safe), log4jdbc (also old, and
> >> possibly a spurious string match, so probably also safe), duck (1.x
> >> series, so it's safe), apache-ant (not seeing version info, I dunno),
> >> apache-geode (this one might actually need checking?),
> >> appengine-java-sdk (not sure), ghidra (this one looks vulnerable), poi
> >> (1.x series, so it's safe), webtoolkit-java-sdk (I dunno), zanata-cli
> >> (1.x series, so it's safe), and commons-logging (doesn't even build).
> >> I'll attach the output of `locate /opt/local/*log4j* | xargs port
> >> provides` to this email so you can see the same list I was looking at.
> >> <log4jfiles.txt>
> >
> > I said to look log4j-$version.jar earlier, but I should have said log4j-core-$version.jar.
> >
> > In your list apache-solr8 and apache-geode contain vulnerable versions of Log4J 2.x.
>
> And ghidra indeed, sorry.
>
> The version of Apache Geode in MacPorts (1.0.0-incubating) is also rather old. Version 1.14.1 of Apache Geode bumped its dependency on Log4J to 2.15.0, which is the fixed version: https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-1.14.1
>
> Nils.
There's bug 58631 open for an update to apache-geode:
https://trac.macports.org/ticket/58631
And I opened bug 64199 for ghidra: https://trac.macports.org/ticket/64199
More information about the macports-dev
mailing list