[OS X TeX] log4j use in MacTeX 2021

Sat Dec 25 04:03:16 CET 2021

Folks,

See

https://gitlab.com/islandoftex/arara/-/releases

for release 6.1.5 of arara. Paulo Cereda writes

"Yet another log4j vulnerability was found (CVE-2021-45105<https://nvd.nist.gov/vuln/detail/CVE-2021-45105>), and it affects the library version (2.16.0) we use in arara6.1.4. Although there's no attack vector for us (as we do not rely on thread context maps), it's wise to bump dependencies once again and issue a patch release. It's been reported that log4j 2.17.0 fixes this vulnerability."

and the latest release says

Fixed shipping a vulnerable log4j version.

It is important, of course, to get this into TeX Live rapidly, and until that happens users should pay attention to Gerben's warning.

Richard Koch

On Dec 24, 2021, at 6:28 PM, Herbert Schulz <herbs at wideopenwest.com<mailto:herbs at wideopenwest.com>> wrote:

On Dec 24, 2021, at 6:07 PM, Gerben Wierda via MacOSX-TeX <macosx-tex at email.esm.psu.edu<mailto:macosx-tex at email.esm.psu.edu>> wrote:

The CAST tool form Crowdstrike marks /usr/local/texlive/2021/texmf-dist/scripts/arara as something that contains the use of a vulnerable log4j  implementation. Many of these lines appear.

{"container":"/usr/local/texlive/2021/texmf-dist/scripts/arara/arara.jar","member":{"path":"/org/apache/logging/log4j/core/async/JCToolsBlockingQueueFactory$MpscBlockingQueue.class","size":4286,"modified":"2020-11-06T14:03:10Z"},"sha256":"1469023e000dd3d44faf1e221990ac41f0f7921f72adb0c8e9cc6176fc912640"}

Maybe best to remove it. I did. In Terminal (use at your own risk and especially do not enter any spaces in the command below that aren’t there already, copy paste will be correct):

sudo rm -rf /usr/local/texlive/2021/texmf-dist/scripts/arara

Basically, I don’t know if using array may mean there is a vulnerability (probably not) but as I am strapped for time and I don’t need array, this was th quick and dirty way to get rid of the positive.

Tool used for scanning: https://github.com/CrowdStrike/CAST/releases

Gerben Wierda (LinkedIn)
R&A IT Strategy (main site)
Book: Chess and the Art of Enterprise Architecture
Book: Mastering ArchiMate

Howdy.

Arara is, in the end, a Java application (please, not the same as Java-Script) which is subject to the (major) log4 bug. I'm not sure how many Java applications are used in TeX Live.

Good Luck,

Herb Schulz
herbs at wideopenwest.com<mailto:herbs at wideopenwest.com>

----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/TeX/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
               https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/macostex-archives/attachments/20211225/bc1e6ff2/attachment.html>
-------------- next part --------------
----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/TeX/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex