Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

log4j os this a risk under Mac OS?

I found several hundred files with log4l in the name spread across my Mac's backup sets.

Most were from before 2014. The are jar, xml, html, patch, info

My HD had 10 files the most recent being 9 Jul 2007. They are jar, patch , properties and info files

They have never been picked up bu Sophos, I do scans every month or so.

I am currently doing a Sophos scan of my primary backup, will take a while.

See screen shots of searches below.


MacBook Pro 15″, macOS 10.13

Posted on Dec 15, 2021 5:29 AM

Reply
Question marked as Top-ranking reply

Posted on Dec 16, 2021 12:44 PM

The preceding is an ill-informed reply. It's sort-of-right in that the log4j vulnerability is not a virus, and could be right in the sense that Sophos doing a virus scan won't flag log4j files as viruses, because they're not viruses.


log4j is widely-deployed normal software that happens to have a bug with very severe consequences.


An attacker can exploit the bug to get root privileges on the machine by doing something as trivial as sending a specially-formed text chat to a Minecraft player. (Minecraft is one of the applications that is vulnerable, if you're playing on a vanilla version < 1.18.1. If you're playing a modified version, contact the author of the mod for details). You may think: "I never installed Java". This does NOT make you safe, since many apps (Minecraft, f.e.) bundle their own Java runtime and copy of log4j.


When an attacker gets root, it's Game Over. He or she can rule your machine, and macOS's "UNIX security" will only help the attacker by honoring root permissions.


This issue is most often a problem on enterprise, web-facing systems, but that's no guarantee that things you've put on your Mac aren't vulnerable as well.


I'd like to hear from Apple as well on the status of macOS (and iOS) regarding log4j.

Similar questions

15 replies
Sort By: 
Question marked as Top-ranking reply

Dec 16, 2021 12:44 PM in response to PRP_53

The preceding is an ill-informed reply. It's sort-of-right in that the log4j vulnerability is not a virus, and could be right in the sense that Sophos doing a virus scan won't flag log4j files as viruses, because they're not viruses.


log4j is widely-deployed normal software that happens to have a bug with very severe consequences.


An attacker can exploit the bug to get root privileges on the machine by doing something as trivial as sending a specially-formed text chat to a Minecraft player. (Minecraft is one of the applications that is vulnerable, if you're playing on a vanilla version < 1.18.1. If you're playing a modified version, contact the author of the mod for details). You may think: "I never installed Java". This does NOT make you safe, since many apps (Minecraft, f.e.) bundle their own Java runtime and copy of log4j.


When an attacker gets root, it's Game Over. He or she can rule your machine, and macOS's "UNIX security" will only help the attacker by honoring root permissions.


This issue is most often a problem on enterprise, web-facing systems, but that's no guarantee that things you've put on your Mac aren't vulnerable as well.


I'd like to hear from Apple as well on the status of macOS (and iOS) regarding log4j.

Reply

Dec 15, 2021 7:25 AM in response to karlreed

Sophos is protecting nothing on this computer apart from the user paying money for a Non Existing problem that affects macOS.


It is also consuming Resources of the computer like CPU and Memory and provide Zero Return except for problems.


There are no known Windows-like Viruses in the wild that self replicate and affect macOS, because of the underling UNIX  Foundation and Permission Limitation. 


The The Built in Security  is all that is required to protect the computer.


Are there any AntiVirus, Disk Cleaner, Optimizers, Un-installers, etc installed which should be removed as per Developers Instructions. They are useless, unneeded, cause havoc and interfere with the normal operation of the OS and may even Corrupt the OS requiring a Reinstallation


Reply

Dec 16, 2021 1:36 PM in response to jimmiedave

jimmiedave wrote:

Thanks. Good to know, but it refers to iCloud - the server side.

I'd like to hear whether more device-side apps (like Minecraft Java Edition) are affected on macOS or iOS.

As far as I know, macOS does not ship log4j as part of the base OS install, so I'm not sure there is anything for Apple to do about Minecraft.


Apple does include log4j with Xcode, so if you have installed Xcode, you might want to be on the lookup for an Xcode update.

Reply

Dec 16, 2021 1:50 PM in response to BobHarris

I'm no longer personally concerned about Minecraft. I was using it as an example. I updated all my families' Minecraft instances and our personal server, deleted any non-patched mods last Saturday.


I'm thinking about macOS and iOS - Including the many folders I'm not allowed to search with find (even with sudo privileges)


On my main Mac, I've found that the JetBrains IDEs (in my case, PyCharm and IntelliJ) ship with log4j on my machine locally, as does the Arduino development environment - a certainly vulnerable version in the case of Arduino.


So DOES macOS have log4j? (unlikely, but possible, impossible to know without an official statement, or ability to read all folders)


And will/does Apple offer any mitigation (for these other installed apps) on the computer/phone side? If so, what is it?

Reply

Dec 17, 2021 2:21 AM in response to jimmiedave

Good catch on the potential issue existing in some Third Party Application. Will commend one for that :-)


Though, in the Context of Sophos Antivirus Virus Software on macOS ( as OP defined as installed on the computer ) - that has be delineated out in detail as per original posting.

Reply

Dec 21, 2021 12:42 PM in response to karlreed

What I've found is that single clicking on the any log4j jar files found by Finder should reveal the path to its location on the bottom of the search results. This will hopefully lead you to the package which installed it. You will need to update those specific packages if they contain log4j versioned below the patched version. Alternatively, if you're no longer using that package, remove it from the system.


Note that single clicking a file doesn't activate it. It simply highlights it for more detail. However, double clicking it might launch it. You'll want to avoid double clicking.


Good luck.

Reply

Dec 21, 2021 1:16 PM in response to karlreed

Tenable has a reasonable write-up, and Apache has some mitigation info posted.


Minecraft is vulnerable, reportedly both client and server.


There are affected VMware apps, and a variety of other apps from other vendors.


If you loaded Java and particularly if you’re still running Java, you’re going to need to do some research,


Here, your system seems to have an older version of log4j around and that with somewhat different known vulnerabilities, and you will need to figure out what that app is and whether you need it, and whether you need to update or replace it.


If you’re running other Java apps, you will need to review those apps and update as necessary, too.


The app update from the app provider, or—if you’re stuck—maybe pulling the known-vulnerable part from the jar using the unzip command works until there’s an update or a replacement. The unzip command mitigation is listed in the Apache link posted above. Expunging the vulnerable component probably won’t effect most Java apps, but it might. And the mitigation will break code-signing, if the Java app involved is code-signed.


macOS itself does not ship with Oracle Java, and does not ship the Apache logging app. Even back when Apple had its own Java port years ago, you still had to add it yourself. If you’ve added Oracle Java, then you now own the investigation into what is installed.


As for anti-malware apps, I generally do not recommend those add-on anti-malware apps. As endpoint security tools for those that need that, maybe. For general use by folks on a recent version of macOS patched current, not so much. These tools can add overhead and instabilities and can introduce vulnerabilities, and some have had privacy surprises.



Reply

Dec 21, 2021 3:14 PM in response to PRP_53

That is not an informed response. Ignore him please as the log4j issue is not a virus.

Additionally, a MAC is not 'secure' just because it is based on 'Unix'.

Even the link supplied informs you how, if you are not paying close attention, you could install malware on a Mac.


Reply

log4j os this a risk under Mac OS?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.