We are using 5.16 version Seems like it is using log4j 1.2.17 which Is not vulnerable I think that posting the versions and the status (infected/not infected) will be great help
From: Chittaranjan Panda <chittaran...@hotmail.com> Sent: Monday, 13 December 2021 16:32 To: users@activemq.apache.org Subject: Re: ActiveMQ 5.8.0 & Active MQ Artemis 2.17.0: log4j vulnerabilities? [https://s3.amazonaws.com/staticmediafiles/media/sights/iron-icon-color.png] IRONSCALES couldn't recognize this email as this is the first time you received an email from this sender chittaran...@hotmail.com<mailto:chittaran...@hotmail.com> Hi, Is Apache Artemis 2.18.0 is affected by log4j vulnerability ? I found in dependencies it uses jboss-logging ( https://mvnrepository.com/artifact/org.jboss.logging/jboss-logging/3.4.2.Final ) which contains log4j-api 2.11.2 and log4j 1.2.16 and in test dependencies uses log4j-core 2.11.2. Any help and clarification on this topic. Thank you in advance On Mon, Dec 13, 2021 at 7:46 PM Justin Bertram wrote: > ActiveMQ Artemis doesn't use/ship any version of Log4J so CVE-2021-44228 > doesn't impact it. > > > Justin > > On Mon, Dec 13, 2021 at 7:40 AM Benny K wrote: > > > Hi all, > > > > we have two different Active MQ versions in production-use: > > > > - Active MQ 5.8.0 > > - Active MQ Artemis 2.17.0 > > > > is it right that they both are using log4j-1.2.17 and they are NOT > > affected by the log4j vulnerability / "log4shell"? > > > > Any help would be really great. :-) > > > > Thanks and Best Regards > > Benjamin > > > > > > >
