> We are using ActiveMQ Classic 5.15.4. Thus, we need to upgrade to either ActiveMQ Classic 5.15.15 or 5.16.3, correct?
That is *not* correct. Did you happen to take a look at the documentation [1] on this which I linked? There are some highlighted statements which answer your question specifically. Justin [1] https://activemq.apache.org/news/cve-2021-44228 On Wed, Dec 15, 2021 at 3:06 PM Gunawan, Rahman (GSFC-703.H)[BUSINESS INTEGRA, INC.] <rahman.guna...@nasa.gov.invalid> wrote: > We are using ActiveMQ Classic 5.15.4. Thus, we need to upgrade to either > ActiveMQ Classic 5.15.15 or 5.16.3, correct? > > Thanks > > Regards, > Rahman > > -----Original Message----- > From: Justin Bertram <jbert...@apache.org> > Sent: Wednesday, December 15, 2021 3:58 PM > To: users@activemq.apache.org > Subject: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities > > > Could we please get an official statement about ActiveMQ's security > > wrt > log4j? > > To be clear, this [1] is the official statement you requested. > > > Justin > > [1] > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fnews%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=mCVIgj8N5XWahk4qo5FyGuEmUJZ%2F%2BayKF7hY4zrKAEM%3D&reserved=0 > > On Mon, Dec 13, 2021 at 3:00 AM Lionel Cons <lionel.c...@cern.ch> wrote: > > > Recently, a new critical vulnerability has been published for log4j: > > CVE-2021-44228. > > > > I've read different things from different sources. > > > > According to Red Hat ( > > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Facce > > ss.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crah > > man.gunawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845 > > be48ae8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbG > > Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0% > > 3D%7C3000&sdata=wPtAF44YDYB2ZeRJeIN6DL8VfeqcY0wkKR%2BzDCkgA5U%3D&a > > mp;reserved=0 < > > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Facce > > ss.redhat.com > %2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan% > 40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wPtAF44YDYB2ZeRJeIN6DL8VfeqcY0wkKR%2BzDCkgA5U%3D&reserved=0>): > "This issue only affects log4j versions between 2.0 and 2.14.1". > > > > According to GitHub > > (https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit > > hub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.g > > unawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48a > > e8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d > > 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C > > 3000&sdata=N1%2F9pDKJM9B%2BBsUamqUJSsXM8zRVCCM4sNcEq94YLqE%3D& > > reserved=0 < > > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > > ub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gu > > nawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48ae > > 8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d8 > > eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3 > > 000&sdata=N1%2F9pDKJM9B%2BBsUamqUJSsXM8zRVCCM4sNcEq94YLqE%3D&r > > eserved=0>): "Any Log4J version prior to v2.15.0 is affected to this > > specific issue." and, more explicitly, " The v1 branch of Log4J which > > is considered End Of Life (EOL) is vulnerable to other RCE vectors so > > the recommendation is to still update to > > 2.15.0 where possible.". > > > > It seems that ActiveMQ 5.16 uses log4j 1.2.17. > > > > Could we please get an official statement about ActiveMQ's security > > wrt log4j? > > > > Thanks! > > > > Lionel > >
