ActiveMQ 5.17.0 has not been released yet which is why you can't find it on the website to download. Note that the website [1] refers to 5.17.0 as "upcoming."
Justin [1] https://activemq.apache.org/news/cve-2021-44228 On Wed, Dec 15, 2021 at 2:48 PM Gunawan, Rahman (GSFC-703.H)[BUSINESS INTEGRA, INC.] <rahman.guna...@nasa.gov.invalid> wrote: > I couldn't find ActiveMQ 5.17.x in > https://activemq.apache.org/download-archives. Could you please let me > know where I can download ActiveMQ 5.17? > > Thanks > > Regards, > Rahman > > -----Original Message----- > From: Jean-Baptiste Onofré <j...@nanthrax.net> > Sent: Monday, December 13, 2021 4:50 AM > To: users@activemq.apache.org > Subject: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities > > Hi, > > I was about to send a message to the mailing list to give an update. > > 1. ActiveMQ is now using log4j 1.2.x, so, it's not impacted by the CVE > 2021-44228. The other mentioned CVE only affects users using JMS appender, > which is pretty rare. > 2. ActiveMQ 5.17.x (main) will use log4j2, I have a PR about that. I'm > updating to log4j 2.0.15 in this PR, addressing the CVE. > > Regards > JB > > On 13/12/2021 09:59, Lionel Cons wrote: > > Recently, a new critical vulnerability has been published for log4j: > CVE-2021-44228. > > > > I've read different things from different sources. > > > > According to Red Hat ( > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0 > < > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0>): > "This issue only affects log4j versions between 2.0 and 2.14.1". > > > > According to GitHub ( > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0 > < > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0>): > "Any Log4J version prior to v2.15.0 is affected to this specific issue." > and, more explicitly, " The v1 branch of Log4J which is considered End Of > Life (EOL) is vulnerable to other RCE vectors so the recommendation is to > still update to 2.15.0 where possible.". > > > > It seems that ActiveMQ 5.16 uses log4j 1.2.17. > > > > Could we please get an official statement about ActiveMQ's security wrt > log4j? > > > > Thanks! > > > > Lionel > > > >
