Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I ran this on my Mac and it found 2 instances of log4j jar files, both related to Xcode:

/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar

/System/Volumes/Data/Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar

Should I just delete them or is there a different mitigation? Apple needs to ship a patched Xcode version ASAP.



See the Xcode 13.2.1 release notes [0]:

> Xcode contains a copy of the log4j library that has the CVE-2021-44228 security vulnerability. Xcode automatically downloads an updated version of this library and installs it into ~/Library/Caches/com.apple.amp.itmstransporter. When submitting apps to the App Store, Xcode uses the updated version of the library. (86390060)

[0] https://developer.apple.com/documentation/xcode-release-note...


You can also use the --rewrite flag to automatically patch those files. This will remove the class that leads to the vulnerability and is generally a safe change.


finding the log4j jar is not the problem, it could have been patched. Finding the one that has vulnerable code is the issue.


It so needs solving. Everyone should be using upgraded jars. Except as a stopgap, you shouldn't rely on patched Jars.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: