[OS X TeX] log4j use in MacTeX 2021

[Gerben Wierda via MacOSX-TeX]

The CAST tool form Crowdstrike marks /usr/local/texlive/2021/texmf-dist/scripts/arara as something that contains the use of a vulnerable log4j  implementation. Many of these lines appear.

{"container":"/usr/local/texlive/2021/texmf-dist/scripts/arara/arara.jar","member":{"path":"/org/apache/logging/log4j/core/async/JCToolsBlockingQueueFactory$MpscBlockingQueue.class","size":4286,"modified":"2020-11-06T14:03:10Z"},"sha256":"1469023e000dd3d44faf1e221990ac41f0f7921f72adb0c8e9cc6176fc912640"}

Maybe best to remove it. I did. In Terminal (use at your own risk and especially do not enter any spaces in the command below that aren’t there already, copy paste will be correct):

sudo rm -rf /usr/local/texlive/2021/texmf-dist/scripts/arara

Basically, I don’t know if using array may mean there is a vulnerability (probably not) but as I am strapped for time and I don’t need array, this was th quick and dirty way to get rid of the positive.

Tool used for scanning: https://github.com/CrowdStrike/CAST/releases

Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>)
R&A IT Strategy <https://ea.rna.nl/> (main site)
Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/>
Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/macostex-archives/attachments/20211225/7272e14b/attachment.html>
-------------- next part --------------
----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/TeX/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex