Significant security vulnerability discovered in Log4j
Nils Breunese
nils at breun.nl
Tue Dec 14 23:47:14 UTC 2021
Arjun Salyan <arjun at macports.org> wrote::
>> On 12-Dec-2021, at 3:27 PM, Joshua Root <jmr at macports.org> wrote:
>>
>> Not all ports have installed file information available, but the web app can search the ones that do:
>>
>> <https://ports.macports.org/search/?installed_file=log4j&q=>
>
> I identified an issue with the way we were updating our search index. That has been fixed and now this page shows 17 ports, instead of 5.
Thanks for fixing! For Log4J only log4j-core-* is relevant, and https://ports.macports.org/search/?installed_file=log4j-core&q= only shows the ports we already previously identified.
A couple of hours ago https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 was made public, which states that the previous mitigations of upgrading to Log4J 2.15.0 or setting system/environment properties is longer enough. The recommended solution is upgrading to Log4J 2.16.0. If that is not possible, it is recommended to at least remove the JndiLookup class from the log4j-core JAR (e.g. zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
Nils.
More information about the macports-dev
mailing list