[OS X TeX] log4j use in MacTeX 2021

Sat Dec 25 06:34:52 EST 2021

The really serious issue has been solved in log4j 2.16.0. After close scrutiny which naturally followed some more convoluted vulnerabilities have been found which are/will be fixed in 2.17.0.

Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>)
R&A IT Strategy <https://ea.rna.nl/> (main site)
Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/>
Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/>

> On 25 Dec 2021, at 04:03, Richard Koch <koch at uoregon.edu> wrote:
> 
> 
> Folks,
> 
> See
> 
> https://gitlab.com/islandoftex/arara/-/releases <https://gitlab.com/islandoftex/arara/-/releases>
> 
> for release 6.1.5 of arara. Paulo Cereda writes
> 
> "Yet another log4j vulnerability was found (CVE-2021-45105 <https://nvd.nist.gov/vuln/detail/CVE-2021-45105>), and it affects the library version (2.16.0) we use in arara6.1.4. Although there's no attack vector for us (as we do not rely on thread context maps), it's wise to bump dependencies once again and issue a patch release. It's been reported that log4j 2.17.0 fixes this vulnerability."
> 
> and the latest release says
> 
> Fixed shipping a vulnerable log4j version.
> 
> It is important, of course, to get this into TeX Live rapidly, and until that happens users should pay attention to Gerben's warning.
> 
> Richard Koch 
> 
> 
>> On Dec 24, 2021, at 6:28 PM, Herbert Schulz <herbs at wideopenwest.com <mailto:herbs at wideopenwest.com>> wrote:
>> 
>> 
>> 
>>> On Dec 24, 2021, at 6:07 PM, Gerben Wierda via MacOSX-TeX <macosx-tex at email.esm.psu.edu <mailto:macosx-tex at email.esm.psu.edu>> wrote:
>>> 
>>> The CAST tool form Crowdstrike marks /usr/local/texlive/2021/texmf-dist/scripts/arara as something that contains the use of a vulnerable log4j  implementation. Many of these lines appear.
>>> 
>>> {"container":"/usr/local/texlive/2021/texmf-dist/scripts/arara/arara.jar","member":{"path":"/org/apache/logging/log4j/core/async/JCToolsBlockingQueueFactory$MpscBlockingQueue.class","size":4286,"modified":"2020-11-06T14:03:10Z"},"sha256":"1469023e000dd3d44faf1e221990ac41f0f7921f72adb0c8e9cc6176fc912640"}
>>> 
>>> Maybe best to remove it. I did. In Terminal (use at your own risk and especially do not enter any spaces in the command below that aren’t there already, copy paste will be correct):
>>> 
>>> sudo rm -rf /usr/local/texlive/2021/texmf-dist/scripts/arara
>>> 
>>> Basically, I don’t know if using array may mean there is a vulnerability (probably not) but as I am strapped for time and I don’t need array, this was th quick and dirty way to get rid of the positive.
>>> 
>>> Tool used for scanning: https://github.com/CrowdStrike/CAST/releases <https://github.com/CrowdStrike/CAST/releases>
>>> 
>>> Gerben Wierda (LinkedIn)
>>> R&A IT Strategy (main site)
>>> Book: Chess and the Art of Enterprise Architecture
>>> Book: Mastering ArchiMate
>> 
>> Howdy.
>> 
>> Arara is, in the end, a Java application (please, not the same as Java-Script) which is subject to the (major) log4 bug. I'm not sure how many Java applications are used in TeX Live.
>> 
>> Good Luck,
>> 
>> Herb Schulz
>> herbs at wideopenwest.com <mailto:herbs at wideopenwest.com>
>> 
>> 
>> ----------- Please Consult the Following Before Posting -----------
>> TeX FAQ: http://www.tex.ac.uk/faq
>> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/TeX/
>> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>>                https://email.esm.psu.edu/pipermail/macosx-tex/
>> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
>> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
> 
> ----------- Please Consult the Following Before Posting -----------
> TeX FAQ: http://www.tex.ac.uk/faq
> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/TeX/
> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>                https://email.esm.psu.edu/pipermail/macosx-tex/
> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://email.esm.psu.edu/pipermail/macosx-tex/attachments/20211225/d907bcd3/attachment.htm>