## WeBWorK Main Forum

### Log4J vulnerability? with textlive

by Lawrence Ng -
Number of replies: 4

Hello folks.

Our Tenable detected a vulnerability possibly with WeBWorK but I think it more with textlive, correct?

Apache Log4j < 2.15.0 Remote Code Execution (Nix)

Upgrade to Apache Log4j version 2.3.1 / 2.12.3 / 2.15.0 or later, or apply the vendor mitigation.

Upgrading to the latest versions for Apache Log4j is highly recommended as intermediate versions / patches have known high severity vulnerabilities and the vendor is updating their advisories often as new research and knowledge about the impact of Log4j is discovered. Refer to https://logging.apache.org/log4j/2.x/security.html for the latest versions.

Path              : /usr/local/texlive/2021/texmf-dist/scripts/arara/arara.jar

The version of Apache Log4j on the remote host is 2.x < 2.3.1 / 2.4 < 2.12.3 / 2.13 < 2.15.0. It is, therefore, affected by a remote code execution vulnerability in the JDNI parser due to improper log validation. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.

Log4j 1.x, which reached its End of Life prior to 2016, comes with JMSAppender which will perform a JNDI lookup if enabled in Log4j's configuration file, hence customers should evaluate triggers in 1.x based on the risk that it is EOL and whether JNDI lookups are enabled.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

https://logging.apache.org/log4j/2.x/security.html
https://github.com/apache/logging-log4j2/pull/608

### Re: Log4J vulnerability? with textlive

by Glenn Rice -

That file is not only not part of WeBWorK, but it is also not a file that is used by WeBWorK or even the apache2 server.  It is part of the texlive distribution, and certainly is not a server vulnerability unless you are exposing that file in some way with something you serve on your server.

### Re: Log4J vulnerability? with textlive

by Lawrence Ng -

Thank you @Glen Rice

I thought it was used ...  yum -y install dvipng gd-devel texlive-latex ....

Would it still be worth it to upgrade it regardless?

is there a way I can check if that file is exposed outside from our server?

### Re: Log4J vulnerability? with textlive

by Glenn Rice -
Here is some information on this: https://tug.org/texlive/cve-log4j.html

WeBWorK does not use this in any way, and it is unlikely that anything does on your server.  You just need to check if you have anything that calls the arara utility for compiling tex documents.  Even if you do, it would have to be a job that is called with external input data in order for there to be any real vulnerability, and that is even less likely to be the case.