[OS X TeX] log4j use in MacTeX 2021

Herbert Schulz herbs at wideopenwest.com
Fri Dec 24 21:28:10 EST 2021



> On Dec 24, 2021, at 6:07 PM, Gerben Wierda via MacOSX-TeX <macosx-tex at email.esm.psu.edu> wrote:
> 
> The CAST tool form Crowdstrike marks /usr/local/texlive/2021/texmf-dist/scripts/arara as something that contains the use of a vulnerable log4j  implementation. Many of these lines appear.
> 
> {"container":"/usr/local/texlive/2021/texmf-dist/scripts/arara/arara.jar","member":{"path":"/org/apache/logging/log4j/core/async/JCToolsBlockingQueueFactory$MpscBlockingQueue.class","size":4286,"modified":"2020-11-06T14:03:10Z"},"sha256":"1469023e000dd3d44faf1e221990ac41f0f7921f72adb0c8e9cc6176fc912640"}
> 
> Maybe best to remove it. I did. In Terminal (use at your own risk and especially do not enter any spaces in the command below that aren’t there already, copy paste will be correct):
> 
> sudo rm -rf /usr/local/texlive/2021/texmf-dist/scripts/arara
> 
> Basically, I don’t know if using array may mean there is a vulnerability (probably not) but as I am strapped for time and I don’t need array, this was th quick and dirty way to get rid of the positive.
> 
> Tool used for scanning: https://github.com/CrowdStrike/CAST/releases
> 
> Gerben Wierda (LinkedIn)
> R&A IT Strategy (main site)
> Book: Chess and the Art of Enterprise Architecture
> Book: Mastering ArchiMate

Howdy.

Arara is, in the end, a Java application (please, not the same as Java-Script) which is subject to the (major) log4 bug. I'm not sure how many Java applications are used in TeX Live.

Good Luck,

Herb Schulz
herbs at wideopenwest.com




More information about the MacOSX-TeX mailing list