Krampus gave us another log4j remote code execution vulnerability (CVE-2021-44832), with the patch coming about 10 days after XCode 13.2.1 was released.
XCode might be vulnerable; it's 13.2.1 release notes don't mention patching this newer vulnerability.
I'm with donmontalvo and wish XCode would excludes all log4j versions less than 2.17.1. When I scan my system with CloudStrike's CAST tool, XCode pops in a big way. If XCode could upgrade /Applications/Xcode.app/Contents/SharedFrameworks/ContentDeliveryServices.framework/Versions/A/itms/share/OSGi-Bundles/org.apache.logging.log4j.core-2.11.2.jar to a secure version, my company would be much less worried.
josiah-johnston
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution