We are using ActiveMQ Classic 5.15.4. Thus, we need to upgrade to either ActiveMQ Classic 5.15.15 or 5.16.3, correct?
Thanks Regards, Rahman -----Original Message----- From: Justin Bertram <jbert...@apache.org> Sent: Wednesday, December 15, 2021 3:58 PM To: users@activemq.apache.org Subject: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities > Could we please get an official statement about ActiveMQ's security > wrt log4j? To be clear, this [1] is the official statement you requested. Justin [1] https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fnews%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=mCVIgj8N5XWahk4qo5FyGuEmUJZ%2F%2BayKF7hY4zrKAEM%3D&reserved=0 On Mon, Dec 13, 2021 at 3:00 AM Lionel Cons <lionel.c...@cern.ch> wrote: > Recently, a new critical vulnerability has been published for log4j: > CVE-2021-44228. > > I've read different things from different sources. > > According to Red Hat ( > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Facce > ss.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crah > man.gunawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845 > be48ae8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbG > Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0% > 3D%7C3000&sdata=wPtAF44YDYB2ZeRJeIN6DL8VfeqcY0wkKR%2BzDCkgA5U%3D&a > mp;reserved=0 < > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Facce > ss.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wPtAF44YDYB2ZeRJeIN6DL8VfeqcY0wkKR%2BzDCkgA5U%3D&reserved=0>): > "This issue only affects log4j versions between 2.0 and 2.14.1". > > According to GitHub > (https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit > hub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.g > unawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48a > e8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d > 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C > 3000&sdata=N1%2F9pDKJM9B%2BBsUamqUJSsXM8zRVCCM4sNcEq94YLqE%3D& > reserved=0 < > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > ub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gu > nawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48ae > 8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d8 > eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3 > 000&sdata=N1%2F9pDKJM9B%2BBsUamqUJSsXM8zRVCCM4sNcEq94YLqE%3D&r > eserved=0>): "Any Log4J version prior to v2.15.0 is affected to this > specific issue." and, more explicitly, " The v1 branch of Log4J which > is considered End Of Life (EOL) is vulnerable to other RCE vectors so > the recommendation is to still update to > 2.15.0 where possible.". > > It seems that ActiveMQ 5.16 uses log4j 1.2.17. > > Could we please get an official statement about ActiveMQ's security > wrt log4j? > > Thanks! > > Lionel
