Eric Gallager <eg...@gwmail.gwu.edu> wrote: > On Sun, Dec 12, 2021 at 4:57 AM Joshua Root <j...@macports.org> wrote: >> >> On 2021-12-12 20:02 , Nils Breunese wrote: >>> It could be the case the MacPorts has ports for Java-based applications >>> that include a vulnerable version of the Log4J library. A port that >>> includes a file called log4j-$version.jar with $version in the range >>> 2.0.0-2.14.1 could be vulnerable. This file could also be ‘hidden’ inside a >>> compressed archive, like a .war file (basically a zip file). I’m not sure >>> how we could check all ports for this without installing all of them. >> >> Not all ports have installed file information available, but the web app >> can search the ones that do: >> >> <https://ports.macports.org/search/?installed_file=log4j&q=> >> >> - Josh > > Some other ports with log4j-related files that don't show up in this > search: spring-framework25 +with_libs (from the 1.x series, so it's > safe), slf4j (just docs, so it's safe), log4jdbc (also old, and > possibly a spurious string match, so probably also safe), duck (1.x > series, so it's safe), apache-ant (not seeing version info, I dunno), > apache-geode (this one might actually need checking?), > appengine-java-sdk (not sure), ghidra (this one looks vulnerable), poi > (1.x series, so it's safe), webtoolkit-java-sdk (I dunno), zanata-cli > (1.x series, so it's safe), and commons-logging (doesn't even build). > I'll attach the output of `locate /opt/local/*log4j* | xargs port > provides` to this email so you can see the same list I was looking at. > <log4jfiles.txt>
I said to look log4j-$version.jar earlier, but I should have said log4j-core-$version.jar. In your list apache-solr8 and apache-geode contain vulnerable versions of Log4J 2.x. Nils.