Hi Big thank to Justin for the complete answer. Nothing to add, just again thanks to Justin ;)
And yes log4j2 upgrade PR will be ok soon, towards 5.17.0 vote. Regards JB > Le 13 janv. 2022 à 21:59, Justin Bertram <jbert...@apache.org> a écrit : > > >> >> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use > Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as > Log4j 1.2.17 has not been maintained since August 2015. > > The "official statement" [1] that you reference is only dealing with > CVE-2021-44228. It's not a general statement about all the security > vulnerabilities in Log4j 1.2.17. It remains a fact that Log4j 1.2.17 is not > impacted by CVE-2021-44228. > >> Here an existing security vulnerability, (CVE-2019-17571) is not fixed > with the note "Users are urged to upgrade to Log4j 2". > > Regarding CVE-2019-17571 you can read more on this Jira [2]. In short, as > noted by Jean-Baptiste Onofré, "ActiveMQ is not affected as it doesn't use > the SocketServer. However, I think it makes sense to update/support > log4j2..." AMQ-7426 [3] was later created to track the work to upgrade to > Log4j 2. > >> This situation will not be accepted by a number of large customers, which > demand a timely exchange of this component to the officially released new > Log4j version 2. > > Since you've sent this email to the public Apache ActiveMQ mailing lists > you're dealing with "community support" as described on the ActiveMQ > website [4]. As noted, this support is provided on a volunteer basis. > Furthermore, in the spirit of open-source, all community members are > encouraged (although certainly not required) to get involved. As noted in a > recent position paper [5] from the Apache Software Foundation, "Community > is defined by those who show up and do the work." I would strongly > encourage your organization, as an "intensive user of the Apache > technology," to avail itself of *all* the benefits of open source. With > your help to "do the work" this issue could potentially have been resolved > long ago. > >> Therefore we ask you kindly to name and communicate an official release > date for ActiveMQ 5.17.0 (including the Log4j version 2). > > Given the volunteer nature of community support and how open-source works > at Apache I'm not sure "an official release date" can be provided, at least > not like you'd expect from a commercial software vendor. As noted on the > users mailing list as well as the Log4j 2 upgrade PR [6] (linked from the > aforementioned statement about CVE-2021-44228 [1]), the current plan is to > put a release up for vote at the end of January. All community members can > vote on the release for 3 days, and if the vote passes then the release > should be done in early February. > > I hope that helps! > > > Justin > > [1] https://activemq.apache.org/news/cve-2021-44228 > [2] https://issues.apache.org/jira/browse/AMQ-7370 > [3] https://issues.apache.org/jira/browse/AMQ-7426 > [4] https://activemq.apache.org/support > [5] https://cwiki.apache.org/confluence/display/COMDEV/Position+Paper > [6] https://github.com/apache/activemq/pull/662 > >> On Thu, Jan 13, 2022 at 2:09 PM Knöringer, Ralf >> <ralf.knoerin...@atos.net.invalid> wrote: >> >> To whom it may concern, >> >> >> >> as a intensive user of the Apache technology in our enterprise >> architecture and product portfolio I may draw your attention to a critical >> issue. >> >> Based on the known vulnerability CVE-2021-44228 in the Log4j Version 2 >> many of our large enterprise customers (e.g. Volkswagen Financial Services) >> are becoming very sensitive for the risk of using software elements not >> under maintenance. >> >> >> >> Unfortunately we have this situation with the message broker ActiveMQ >> "Classic" (the latest versions 5.15.15 and 5.16.3) as there is an embedded >> use of the Log4j version 1.2.17. >> >> >> >> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use >> Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as >> Log4j 1.2.17 has not been maintained since August 2015. >> >> (Here an existing security vulnerability, (CVE-2019-17571) is not fixed >> with the note "Users are urged to upgrade to Log4j 2".) >> >> >> >> This situation will not be accepted by a number of large customers, which >> demand a timely exchange of this component to the officially released new >> Log4j version 2. >> >> Therefore we ask you kindly to name and communicate an official release >> date for ActiveMQ 5.17.0 (including the Log4j version 2). >> >> >> >> A timely answer is really appreciated as we think this could mitigate >> negative responses and create a positive feedback from the market. >> >> >> >> Best regards >> >> Ralf Knöringer >> Senior Manager >> Big Data & Cybersecurity - IAM >> M: +49 172 5229705 >> Otto-Hahn-Ring 6, 81739 Munich - Germany >> atos.net<https://atos.net/> >> >> Atos Information Technology GmbH; Geschäftsführung: Udo Littke, Boris >> Hecker; Vorsitzender des Aufsichtsrats: N.N.; Sitz der Gesellschaft: >> München; Registergericht: Amtsgericht München, HRB 235509 >> Atos Information Technology GmbH; Managing Directors: Udo Littke, Boris >> Hecker; Chairman of the Supervisory Board: N.N.; Registered office: Munich; >> Commercial register of the local court of Munich, HRB 235509 >> Important notice: This e-mail and any attachment thereof contain corporate >> proprietary information. If you have received it by mistake, please notify >> us immediately by reply e-mail and delete this e-mail and its attachments >> from your system. Thank you. >> >>
