Apache Log4j 1.x Multiple Vulnerabilities

Vishnu Middela Tue, 16 Jan 2024 10:26:21 -0800

Hi,
        Security team had raised concern on Log4j vulnerabilities for Apache 
Active MQ.


Our current Apache Active MQ version is 5.15.8.

Can you please let us know how we can avoid these Log4J vulnerabilities.

Also below is the sample report attached.

Plugin Output:
  Path              : /app01/apachemq/HermesJMS/lib/log4j-1.2.15.jar
  Installed version : 1.2.15



  Path              : 
/app01/apachemq/nyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/nyed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/nynd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/nysd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/nceb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/ncwb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/njb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/njd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/ohnd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/ohsb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/ohsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/almd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/ctd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/dcb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/kyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/kywb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/kywd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/paed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/pawb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/pawd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/rid/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/tned/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/vtd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/wvnb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17



  Path              : 
/app01/apachemq/wvsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
  Installed version : 1.2.17
According to its self-reported version number, the installation of Apache Log4j 
on the remote host is 1.x and is no longer supported. Log4j reached its end of 
life prior to 2016. Additionally, Log4j 1.x is affected by multiple 
vulnerabilities, including :

  - Log4j includes a SocketServer that accepts serialized log events and 
deserializes them without verifying whether     the objects are allowed or not. 
This can provide an attack vector that can be exploited. (CVE-2019-17571)

  - Improper validation of certificate with host mismatch in Apache Log4j SMTP 
appender. This could allow an SMTPS     connection to be intercepted by a 
man-in-the-middle attack which could leak any log messages sent through that    
 appender. (CVE-2020-9488)

  - JMSSink uses JNDI in an unprotected manner allowing any application using 
the JMSSink to be vulnerable if it is     configured to reference an untrusted 
site or if the site referenced can be accesseed by the attacker.
    (CVE-2022-23302)

Lack of support implies that no new security patches for the product will be 
released by the vendor. As a result, it is likely to contain security 
vulnerabilities.
Apache Log4j 1.x Multiple Vulnerabilities



Thanks & Regards
Vishnu Middela

Apache Log4j 1.x Multiple Vulnerabilities

Reply via email to