Surely the practical risk here is fairly low, right? I can’t imagine many cases where the input to an app submission tool comes from someone who can’t be trusted to run code on the machine where the tool is running.
I am surprised that they ship one of the short lived OpenJDK releases in a product like this. I would have assumed they would use an LTS release for that.
Sounds like log4j is only used by one bundled utility (that I’ve never heard of or used) called Transporter:
Transporter is Apple’s Java-based command-line tool for large catalog deliveries. You can use Transporter to deliver your pre-generated content, in a Store Package, to the iTunes Store, Apple Books, and App Store.
Apple doesn’t tend to use Java for anything client-side and I’m not aware of anything else in Xcode that runs it.
Surely the practical risk here is fairly low, right? I can’t imagine many cases where the input to an app submission tool comes from someone who can’t be trusted to run code on the machine where the tool is running.
The JVM they ship is also EOL since September 2020: https://endoflife.date/java
I am surprised that they ship one of the short lived OpenJDK releases in a product like this. I would have assumed they would use an LTS release for that.
Sounds like log4j is only used by one bundled utility (that I’ve never heard of or used) called Transporter:
Apple doesn’t tend to use Java for anything client-side and I’m not aware of anything else in Xcode that runs it.
Yeah it was created to make it easier for the post houses to deliver large intermediates to the iTunes Store for processing.