1. 17
  1. 3

    Surely the practical risk here is fairly low, right? I can’t imagine many cases where the input to an app submission tool comes from someone who can’t be trusted to run code on the machine where the tool is running.

    1. 3

      The JVM they ship is also EOL since September 2020: https://endoflife.date/java

      I am surprised that they ship one of the short lived OpenJDK releases in a product like this. I would have assumed they would use an LTS release for that.

      1. 2

        Sounds like log4j is only used by one bundled utility (that I’ve never heard of or used) called Transporter:

        Transporter is Apple’s Java-based command-line tool for large catalog deliveries. You can use Transporter to deliver your pre-generated content, in a Store Package, to the iTunes Store, Apple Books, and App Store.

        Apple doesn’t tend to use Java for anything client-side and I’m not aware of anything else in Xcode that runs it.

        1. 2

          Yeah it was created to make it easier for the post houses to deliver large intermediates to the iTunes Store for processing.