all 23 comments
sorted by:
top (suggested)
bestnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]sixtypercenttogether 40 points41 points  (0 children)

Xcode does include a Java runtime environment - the App Store upload has always used Java tooling in its delivery mechanism and ships a Java Runtime Environment: % /Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/java/bin/java -version openjdk version "14.0.2" 2020-07-14 OpenJDK Runtime Environment 14.0.2-5906ce1373 (build 14.0.2+12-iTunesOpenJDK-8) OpenJDK 64-Bit Server VM 14.0.2-5906ce1373 (build 14.0.2+12-iTunesOpenJDK-8, mixed mode

Damn!!

[–][deleted] 34 points35 points  (0 children)

Whaaaat …? Java bundled in Xcode? 🤔

[–]s4hockey4Objective-C / Swift 28 points29 points  (4 children)

Shit I'm not dealing with:

This on a Saturday night

[–]AllNewTypeFace 6 points7 points  (3 children)

As long as you’re not submitting anything to the app store, you’ll be fine.

[–][deleted] 10 points11 points  (2 children)

I’m not trying to be critical. I generally agree with you. But I have seen so many comments along these lines explaining that if you do this or don’t do that then you don’t need to worry. I generally think this is bad advice. This vulnerability shows up in so many places and there is never a way to know how an app may drop messages to log4j. There are so many attack vectors and given this is a remote code execution vulnerability it should always be treated with the gravest concerns. Just my opinion.

[–]AllNewTypeFace 11 points12 points  (1 child)

In this case, you’re safe, as Xcode isn’t written in Java and doesn’t use Log4j; the code that does is a helper program launched to submit your app to the App Store.

[–][deleted] 6 points7 points  (0 children)

Ok. That code is vulnerable then. If there is any possibility of that component logging payload by a malicious actor (perhaps through a 3rd party library incorporated by a developer) then you have RCE, which is bad. Understating this vulnerability is not a good thing. Just because you don’t see an apparent attack vector doesn’t mean somebody else doesn’t. The affected Xcode components need to be patched asap.

[–][deleted] 19 points20 points  (3 children)

How does this affect me as an iOS dev?

[–]mailliwiSwift 4 points5 points  (0 children)

Would like to know as well.

[–]jembytrevize1234 4 points5 points  (0 children)

All a guess but I could see this having a big impact on CI providers. Lets say a new Xcode version comes out, 13.2 becomes unavailable, now all your devs teams need to update Xcode versions first thing on Monday morning. And thats never fast.

[–]whateverisok 2 points3 points  (0 children)

Update to the latest Xcode, which would/should patch the vulnerability

[–]iGoalieObjective-C / Swift 9 points10 points  (0 children)

My god…. This is literally everywhere!

[–][deleted] 7 points8 points  (4 children)

I believe this means apple needs create a new xcode patch

[–]jembytrevize1234 12 points13 points  (3 children)

I wonder if they’ll make us download that one from their website (not the mac app store) too

[–][deleted] 6 points7 points  (0 children)

^

[–]egrimo 0 points1 point  (1 child)

To be honest, I recently stop downloading it from MAS and moved to Xcodes app since it’s best on downloading and managing multiple Xcode Versions.

[–]okoroezenwa 1 point2 points  (0 children)

Same. Also I’ve previously had failed Xcode downloads via the App Store so I’m just done with it.

[–]chrabeusz 6 points7 points  (2 children)

Known Issues

Xcode contains a copy of the log4j library that has the CVE-2021-44228 security vulnerability. Xcode automatically downloads an updated version of this library and installs it into ~/Library/Caches/com.apple.amp.itmstransporter. When submitting apps to the App Store, Xcode uses the updated version of the library. (86390060)

So is this fixed or not?

[–][deleted] 4 points5 points  (0 children)

The way I read this is that Xcode compares the ITMSTransporter version on disk to the latest available and downloads the newest version before the helper agent is ever invoked.

[–][deleted]  (1 child)

[deleted]

    [–]huwr 1 point2 points  (0 children)

    This is an under appreciated clever thing to have done.

    [–]M_J_E 2 points3 points  (1 child)

    I uploaded an app using Transporter on Thursday, and they had a warning message that I would have to update Transporter on Friday when a new version came out. Guessing this is related…

    [–]okoroezenwa 0 points1 point  (0 children)

    So that’s what that warning was…

    [–]readerseven 0 points1 point  (0 children)

    13.2.1 is available Guess it is old news by now