[OS X TeX] log4j use in MacTeX 2021

Herbert Schulz herbs at wideopenwest.com
Sat Dec 25 03:28:10 CET 2021

> On Dec 24, 2021, at 6:07 PM, Gerben Wierda via MacOSX-TeX <macosx-tex at email.esm.psu.edu> wrote:
> The CAST tool form Crowdstrike marks /usr/local/texlive/2021/texmf-dist/scripts/arara as something that contains the use of a vulnerable log4j  implementation. Many of these lines appear.
> {"container":"/usr/local/texlive/2021/texmf-dist/scripts/arara/arara.jar","member":{"path":"/org/apache/logging/log4j/core/async/JCToolsBlockingQueueFactory$MpscBlockingQueue.class","size":4286,"modified":"2020-11-06T14:03:10Z"},"sha256":"1469023e000dd3d44faf1e221990ac41f0f7921f72adb0c8e9cc6176fc912640"}
> Maybe best to remove it. I did. In Terminal (use at your own risk and especially do not enter any spaces in the command below that aren’t there already, copy paste will be correct):
> sudo rm -rf /usr/local/texlive/2021/texmf-dist/scripts/arara
> Basically, I don’t know if using array may mean there is a vulnerability (probably not) but as I am strapped for time and I don’t need array, this was th quick and dirty way to get rid of the positive.
> Tool used for scanning: https://github.com/CrowdStrike/CAST/releases
> Gerben Wierda (LinkedIn)
> R&A IT Strategy (main site)
> Book: Chess and the Art of Enterprise Architecture
> Book: Mastering ArchiMate


Arara is, in the end, a Java application (please, not the same as Java-Script) which is subject to the (major) log4 bug. I'm not sure how many Java applications are used in TeX Live.

Good Luck,

Herb Schulz
herbs at wideopenwest.com

----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/TeX/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

More information about the macostex-archives mailing list.