The serious Log4j vulnerability also affects Apple’s Xcode development environment. Up to the latest version 13.2.1, the application contains a vulnerable version of the Java logging library log4j. It appears to serve as a long-serving part of the deployment functionality for uploading programs to Apple’s App Store.
Updated log4j library for app uploads
Since the end of last week, Xcode has been automatically reloading an updated version of the Java logging library and installing it in the directory
~/Library/Caches/com.apple.amp.itmstransporter, as the manufacturer said with the “known problems” of Xcode 13.2.1 noted in the release notes for developers. The fix is not listed in the general version history of Xcode in the Mac App Store. Developers were sometimes unsettled because the log4j version supplied with Xcode is still considered vulnerable. Only when uploading or submitting written iOS apps for sale via the App Store does Xcode now use the updated version of the Java logging library, as Apple explains.
Accordingly, the vulnerable library should not accidentally end up in the iPhone and iPad apps available for end customers – even if the older version of the Java logging library remains part of the current Xcode version for the time being.
iTunes Producer may still have a Log4j vulnerability
It is currently unclear whether Apple will also deliver a hotfix for the “iTunes Producer” app, which apparently also contains a vulnerable version of the Java logging library. iTunes Producer is intended for uploading content to Apple’s content stores previously bundled under the term “iTunes Store”. On its own servers for iCloud, Apple seems to have already eliminated the log4j gap.