I couldn't find ActiveMQ 5.17.x in https://activemq.apache.org/download-archives. Could you please let me know where I can download ActiveMQ 5.17?
Thanks Regards, Rahman -----Original Message----- From: Jean-Baptiste Onofré <j...@nanthrax.net> Sent: Monday, December 13, 2021 4:50 AM To: users@activemq.apache.org Subject: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities Hi, I was about to send a message to the mailing list to give an update. 1. ActiveMQ is now using log4j 1.2.x, so, it's not impacted by the CVE 2021-44228. The other mentioned CVE only affects users using JMS appender, which is pretty rare. 2. ActiveMQ 5.17.x (main) will use log4j2, I have a PR about that. I'm updating to log4j 2.0.15 in this PR, addressing the CVE. Regards JB On 13/12/2021 09:59, Lionel Cons wrote: > Recently, a new critical vulnerability has been published for log4j: > CVE-2021-44228. > > I've read different things from different sources. > > According to Red Hat > (https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0 > > <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0>): > "This issue only affects log4j versions between 2.0 and 2.14.1". > > According to GitHub > (https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0 > > <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0>): > "Any Log4J version prior to v2.15.0 is affected to this specific issue." > and, more explicitly, " The v1 branch of Log4J which is considered End Of > Life (EOL) is vulnerable to other RCE vectors so the recommendation is to > still update to 2.15.0 where possible.". > > It seems that ActiveMQ 5.16 uses log4j 1.2.17. > > Could we please get an official statement about ActiveMQ's security wrt log4j? > > Thanks! > > Lionel >
