Thank you very much! :-)
Gesendet: Montag, 13. Dezember 2021 um 15:16 Uhr Von: "Domenico Francesco Bruscino" <bruscin...@gmail.com> An: users@activemq.apache.org Betreff: Re: Re: ActiveMQ 5.16 and log4j vulnerabilities Hi Benjamin, ActiveMQ Artemis 2.17.0 depends on log4j 1.2 and it doesn't use SocketServer so it's not impacted by those CVEs. Regards, Domenico On Mon, 13 Dec 2021 at 12:28, Benny K <ben...@gmx.net> wrote: > Hi there, > > we are using Active MQ Artemis Version 2.17.0 > - Are we affected of those CVE´s / Log4Shell? > - How can we patch? > > Thanks and Best Regards > Benjamin > > > > > > Gesendet: Montag, 13. Dezember 2021 um 11:04 Uhr > Von: "Jean-Baptiste Onofré" <j...@nanthrax.net> > An: users@activemq.apache.org > Betreff: Re: ActiveMQ 5.16 and log4j vulnerabilities > My understanding is that CVE-2019-17571 only impact socket/JMS appender. > > "Included in Log4j 1.2 is a SocketServer class that is vulnerable to > deserialization of untrusted data which can be exploited to remotely > execute arbitrary code when combined with a deserialization gadget when > listening to untrusted network traffic for log data." > > Regards > JB > > On 13/12/2021 10:56, Vilius Šumskas wrote: > > Hi, > > > > log4j 1.2 series are vulnerable to CVE-2019-17571 which has a CVSS score > of 9.8. This needs to be addressed too. > > >
