On Sun, Dec 12, 2021 at 3:53 PM Nils Breunese <[email protected]> wrote: > > Nils Breunese <[email protected]> wrote: > > > Eric Gallager <[email protected]> wrote: > > > >> On Sun, Dec 12, 2021 at 4:57 AM Joshua Root <[email protected]> wrote: > >>> > >>> On 2021-12-12 20:02 , Nils Breunese wrote: > >>>> It could be the case the MacPorts has ports for Java-based applications > >>>> that include a vulnerable version of the Log4J library. A port that > >>>> includes a file called log4j-$version.jar with $version in the range > >>>> 2.0.0-2.14.1 could be vulnerable. This file could also be ‘hidden’ > >>>> inside a compressed archive, like a .war file (basically a zip file). > >>>> I’m not sure how we could check all ports for this without installing > >>>> all of them. > >>> > >>> Not all ports have installed file information available, but the web app > >>> can search the ones that do: > >>> > >>> <https://ports.macports.org/search/?installed_file=log4j&q=> > >>> > >>> - Josh > >> > >> Some other ports with log4j-related files that don't show up in this > >> search: spring-framework25 +with_libs (from the 1.x series, so it's > >> safe), slf4j (just docs, so it's safe), log4jdbc (also old, and > >> possibly a spurious string match, so probably also safe), duck (1.x > >> series, so it's safe), apache-ant (not seeing version info, I dunno), > >> apache-geode (this one might actually need checking?), > >> appengine-java-sdk (not sure), ghidra (this one looks vulnerable), poi > >> (1.x series, so it's safe), webtoolkit-java-sdk (I dunno), zanata-cli > >> (1.x series, so it's safe), and commons-logging (doesn't even build). > >> I'll attach the output of `locate /opt/local/*log4j* | xargs port > >> provides` to this email so you can see the same list I was looking at. > >> <log4jfiles.txt> > > > > I said to look log4j-$version.jar earlier, but I should have said > > log4j-core-$version.jar. > > > > In your list apache-solr8 and apache-geode contain vulnerable versions of > > Log4J 2.x. > > And ghidra indeed, sorry. > > The version of Apache Geode in MacPorts (1.0.0-incubating) is also rather > old. Version 1.14.1 of Apache Geode bumped its dependency on Log4J to 2.15.0, > which is the fixed version: > https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-1.14.1 > > Nils.
There's bug 58631 open for an update to apache-geode: https://trac.macports.org/ticket/58631 And I opened bug 64199 for ghidra: https://trac.macports.org/ticket/64199
