Hello folks.
Our Tenable detected a vulnerability possibly with WeBWorK but I think it more with textlive, correct?
Apache Log4j < 2.15.0 Remote Code Execution (Nix)
Upgrade to Apache Log4j version 2.3.1 / 2.12.3 / 2.15.0 or later, or apply the vendor mitigation.
Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilities and the vendor is updating their advisories often as new research and knowledge about the impact of Log4j is discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest versions.
Path : /usr/local/texlive/2021/texmf-dist/scripts/arara/arara.jar
The version of Apache Log4j on the remote host is 2.x < 2.3.1 / 2.4 < 2.12.3 / 2.13 < 2.15.0. It is, therefore, affected by a remote code execution vulnerability in the JDNI parser due to improper log validation. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.
Log4j 1.x, which reached its End of Life prior to 2016, comes with JMSAppender which will perform a JNDI lookup if enabled in Log4j's configuration file, hence customers should evaluate triggers in 1.x based on the risk that it is EOL and whether JNDI lookups are enabled.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
https://logging.apache.org/log4j/2.x/security.html
https://github.com/apache/logging-log4j2/pull/608