ActiveMQ Classic 5.15.8 was released in early 2019, almost 5 years ago now. Since then, in part to deal with security issues, the logging implementation changed to Reload4j and then eventually to Log4j 2. The best way you can mitigate security issues is to stay up-to-date. I strongly recommend you migrate to the latest release of ActiveMQ Classic 5.x which is 5.18.3 [2].
If you don't want to or can't upgrade for some reason then you can remove log4j-1.2.17.jar and drop in reload4j-1.2.25.jar [3] as it was designed to be binary compatible. That will resolve CVE-2019-17571, CVE-2020-9488, & CVE-2022-23302. Justin [1] https://reload4j.qos.ch/ [2] https://activemq.apache.org/components/classic/download/ [3] https://repo1.maven.org/maven2/ch/qos/reload4j/reload4j/1.2.25/reload4j-1.2.25.jar On Tue, Jan 16, 2024 at 12:26 PM Vishnu Middela < vishnu_midd...@ao.uscourts.gov> wrote: > Hi, > Security team had raised concern on Log4j vulnerabilities for > Apache Active MQ. > > Our current Apache Active MQ version is 5.15.8. > > Can you please let us know how we can avoid these Log4J vulnerabilities. > > Also below is the sample report attached. > > Plugin Output: > Path : /app01/apachemq/HermesJMS/lib/log4j-1.2.15.jar > Installed version : 1.2.15 > > > > Path : > /app01/apachemq/nyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/nyed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/nynd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/nysd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/nceb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ncwb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/njb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/njd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ohnd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ohsb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ohsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/almd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ctd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/dcb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/kyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/kywb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/kywd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/paed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/pawb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/pawd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/rid/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/tned/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/vtd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/wvnb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/wvsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > According to its self-reported version number, the installation of Apache > Log4j on the remote host is 1.x and is no longer supported. Log4j reached > its end of life prior to 2016. Additionally, Log4j 1.x is affected by > multiple vulnerabilities, including : > > - Log4j includes a SocketServer that accepts serialized log events and > deserializes them without verifying whether the objects are allowed or > not. This can provide an attack vector that can be exploited. > (CVE-2019-17571) > > - Improper validation of certificate with host mismatch in Apache Log4j > SMTP appender. This could allow an SMTPS connection to be intercepted > by a man-in-the-middle attack which could leak any log messages sent > through that appender. (CVE-2020-9488) > > - JMSSink uses JNDI in an unprotected manner allowing any application > using the JMSSink to be vulnerable if it is configured to reference an > untrusted site or if the site referenced can be accesseed by the attacker. > (CVE-2022-23302) > > Lack of support implies that no new security patches for the product will > be released by the vendor. As a result, it is likely to contain security > vulnerabilities. > Apache Log4j 1.x Multiple Vulnerabilities > > > > Thanks & Regards > Vishnu Middela > >
