Hi,
log4j 1.2 series are vulnerable to CVE-2019-17571 which has a CVSS score of
9.8. This needs to be addressed too.
--
Vilius
-----Original Message-----
From: Jean-Baptiste Onofré <j...@nanthrax.net>
Sent: Monday, December 13, 2021 11:50 AM
To: users@activemq.apache.org
Subject: Re: ActiveMQ 5.16 and log4j vulnerabilities
Hi,
I was about to send a message to the mailing list to give an update.
1. ActiveMQ is now using log4j 1.2.x, so, it's not impacted by the CVE
2021-44228. The other mentioned CVE only affects users using JMS appender,
which is pretty rare.
2. ActiveMQ 5.17.x (main) will use log4j2, I have a PR about that. I'm updating
to log4j 2.0.15 in this PR, addressing the CVE.
Regards
JB
On 13/12/2021 09:59, Lionel Cons wrote:
> Recently, a new critical vulnerability has been published for log4j:
> CVE-2021-44228.
>
> I’ve read different things from different sources.
>
> According to Red Hat (https://access.redhat.com/security/cve/cve-2021-44228
> <https://access.redhat.com/security/cve/cve-2021-44228>): "This issue only
> affects log4j versions between 2.0 and 2.14.1”.
>
> According to GitHub (https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
> <https://github.com/advisories/GHSA-jfh8-c2jp-5v3q>): "Any Log4J version
> prior to v2.15.0 is affected to this specific issue.” and, more explicitly, “
> The v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to
> other RCE vectors so the recommendation is to still update to 2.15.0 where
> possible.”.
>
> It seems that ActiveMQ 5.16 uses log4j 1.2.17.
>
> Could we please get an official statement about ActiveMQ’s security wrt log4j?
>
> Thanks!
>
> Lionel
>
