The serious Log4j vulnerability also affects Apple’s Xcode development environment. Up to the latest version 13.2.1, the application contains a vulnerable version of the Java logging library log4j. It appears to serve as a long-standing part of the deployment functionality for uploading programs to Apple’s App Store.
Updated log4j library for app uploads
Since the end of last week, Xcode has been automatically reloading an updated version of the Java logging library and installing it in the directory ~/Library/Caches/com.apple.amp.itmstransporterAs the manufacturer notes in the “known problems” of Xcode 13.2.1 in the release notes for developers. The fix is not listed in the general version history of Xcode in the Mac App Store. Developers were sometimes unsettled because the log4j version supplied with Xcode is still considered vulnerable. Only when uploading or submitting written iOS apps for sale via the App Store does Xcode meanwhile use the updated version of the Java logging library, as Apple explains.
Accordingly, the vulnerable library should no longer be used when uploading finished apps, even if the older version of the Java logging library is still part of the current Xcode version.
iTunes Producer may still have a Log4j vulnerability
It is currently unclear whether Apple will also deliver a hotfix for the “iTunes Producer” app, which apparently also contains a vulnerable version of the Java logging library. iTunes Producer is intended for uploading content to Apple’s content stores previously bundled under the term “iTunes Store”. The App Store backend still seems to be partially based on the old iTunes Store backend. On its own servers for iCloud, Apple seems to have already eliminated the log4j gap.
[Update 21.12.21 12:30 Uhr] In the notification it was corrected that the Java logging library is only used for the app upload to the app store and is not provided as part of the app bundles.
(lbe)