log4j os this a risk under Mac OS?

The preceding is an ill-informed reply. It's sort-of-right in that the log4j vulnerability is not a virus, and could be right in the sense that Sophos doing a virus scan won't flag log4j files as viruses, because they're not viruses.

log4j is widely-deployed normal software that happens to have a bug with very severe consequences.

An attacker can exploit the bug to get root privileges on the machine by doing something as trivial as sending a specially-formed text chat to a Minecraft player. (Minecraft is one of the applications that is vulnerable, if you're playing on a vanilla version < 1.18.1. If you're playing a modified version, contact the author of the mod for details). You may think: "I never installed Java". This does NOT make you safe, since many apps (Minecraft, f.e.) bundle their own Java runtime and copy of log4j.

When an attacker gets root, it's Game Over. He or she can rule your machine, and macOS's "UNIX security" will only help the attacker by honoring root permissions.

This issue is most often a problem on enterprise, web-facing systems, but that's no guarantee that things you've put on your Mac aren't vulnerable as well.

I'd like to hear from Apple as well on the status of macOS (and iOS) regarding log4j.

Sophos is protecting nothing on this computer apart from the user paying money for a Non Existing problem that affects macOS.

It is also consuming Resources of the computer like CPU and Memory and provide Zero Return except for problems.

There are no known Windows-like Viruses in the wild that self replicate and affect macOS, because of the underling UNIX  Foundation and Permission Limitation. 

The The Built in Security  is all that is required to protect the computer.

Are there any AntiVirus, Disk Cleaner, Optimizers, Un-installers, etc installed which should be removed as per Developers Instructions. They are useless, unneeded, cause havoc and interfere with the normal operation of the OS and may even Corrupt the OS requiring a Reinstallation

jimmiedave wrote:

I'd like to hear from Apple as well on the status of macOS (and iOS) regarding log4j.

Here's some info from a couple days ago…

https://9to5mac.com/2021/12/14/apple-patches-log4shell-icloud-vulnerability/

jimmiedave wrote:

Thanks. Good to know, but it refers to iCloud - the server side.

I'd like to hear whether more device-side apps (like Minecraft Java Edition) are affected on macOS or iOS.

As far as I know, macOS does not ship log4j as part of the base OS install, so I'm not sure there is anything for Apple to do about Minecraft.

Apple does include log4j with Xcode, so if you have installed Xcode, you might want to be on the lookup for an Xcode update.

I'm no longer personally concerned about Minecraft. I was using it as an example. I updated all my families' Minecraft instances and our personal server, deleted any non-patched mods last Saturday.

I'm thinking about macOS and iOS - Including the many folders I'm not allowed to search with find (even with sudo privileges)

On my main Mac, I've found that the JetBrains IDEs (in my case, PyCharm and IntelliJ) ship with log4j on my machine locally, as does the Arduino development environment - a certainly vulnerable version in the case of Arduino.

So DOES macOS have log4j? (unlikely, but possible, impossible to know without an official statement, or ability to read all folders)

And will/does Apple offer any mitigation (for these other installed apps) on the computer/phone side? If so, what is it?

Good catch on the potential issue existing in some Third Party Application. Will commend one for that :-)

Though, in the Context of Sophos Antivirus Virus Software on macOS ( as OP defined as installed on the computer ) - that has be delineated out in detail as per original posting.

What I've found is that single clicking on the any log4j jar files found by Finder should reveal the path to its location on the bottom of the search results. This will hopefully lead you to the package which installed it. You will need to update those specific packages if they contain log4j versioned below the patched version. Alternatively, if you're no longer using that package, remove it from the system.

Note that single clicking a file doesn't activate it. It simply highlights it for more detail. However, double clicking it might launch it. You'll want to avoid double clicking.

Good luck.

Tenable has a reasonable write-up, and Apache has some mitigation info posted.

Minecraft is vulnerable, reportedly both client and server.

There are affected VMware apps, and a variety of other apps from other vendors.

If you loaded Java and particularly if you’re still running Java, you’re going to need to do some research,

Here, your system seems to have an older version of log4j around and that with somewhat different known vulnerabilities, and you will need to figure out what that app is and whether you need it, and whether you need to update or replace it.

If you’re running other Java apps, you will need to review those apps and update as necessary, too.

The app update from the app provider, or—if you’re stuck—maybe pulling the known-vulnerable part from the jar using the unzip command works until there’s an update or a replacement. The unzip command mitigation is listed in the Apache link posted above. Expunging the vulnerable component probably won’t effect most Java apps, but it might. And the mitigation will break code-signing, if the Java app involved is code-signed.

macOS itself does not ship with Oracle Java, and does not ship the Apache logging app. Even back when Apple had its own Java port years ago, you still had to add it yourself. If you’ve added Oracle Java, then you now own the investigation into what is installed.

As for anti-malware apps, I generally do not recommend those add-on anti-malware apps. As endpoint security tools for those that need that, maybe. For general use by folks on a recent version of macOS patched current, not so much. These tools can add overhead and instabilities and can introduce vulnerabilities, and some have had privacy surprises.

It is important to reiterate: applications can bundle their own version of Java.

You may have vulnerable Java apps on your machine even though you have not installed Java.

Minecraft is one of these apps, if using the stock version < 1.18.1

That is not an informed response. Ignore him please as the log4j issue is not a virus.

Additionally, a MAC is not 'secure' just because it is based on 'Unix'.

Even the link supplied informs you how, if you are not paying close attention, you could install malware on a Mac.

Thanks. Good to know, but it refers to iCloud - the server side.

I'd like to hear whether more device-side apps (like Minecraft Java Edition) are affected on macOS or iOS.

Welcome.

You do know it's possible to search online?

https://help.minecraft.net/hc/en-us/articles/4416199399693-Security-Vulnerability-in-Minecraft-Java-Edition

Yes, I do. I found this thread as the first hit on duckduckgo.

Arduino 1.8.18 has been updated with a fixed version of log4j.