Hi,
Any update on below request is appreciated..thanks
Thanks & Regards
Vishnu Middela
-----Original Message-----
From: Vishnu Middela <vishnu_midd...@ao.uscourts.gov>
Sent: Tuesday, January 23, 2024 2:23 PM
To: users@activemq.apache.org
Subject: RE: Apache Log4j 1.x Multiple Vulnerabilities
Hi,
If I want to upgrade current version of Apache MQ from 5.15.8 to
5.18.3 version are there any specific guidelines that I need to follow?
Can you please share any documentation that I can refer to.
Thanks & Regards
Vishnu Middela
-----Original Message-----
From: Justin Bertram <jbert...@apache.org>
Sent: Tuesday, January 16, 2024 1:43 PM
To: users@activemq.apache.org
Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities
CAUTION - EXTERNAL:
ActiveMQ Classic 5.15.8 was released in early 2019, almost 5 years ago now.
Since then, in part to deal with security issues, the logging implementation
changed to Reload4j and then eventually to Log4j 2. The best way you can
mitigate security issues is to stay up-to-date. I strongly recommend you
migrate to the latest release of ActiveMQ Classic 5.x which is 5.18.3 [2].
If you don't want to or can't upgrade for some reason then you can remove
log4j-1.2.17.jar and drop in reload4j-1.2.25.jar [3] as it was designed to be
binary compatible. That will resolve CVE-2019-17571, CVE-2020-9488, &
CVE-2022-23302.
Justin
[1] https://reload4j.qos.ch/
[2] https://activemq.apache.org/components/classic/download/
[3]
https://repo1.maven.org/maven2/ch/qos/reload4j/reload4j/1.2.25/reload4j-1.2.25.jar
On Tue, Jan 16, 2024 at 12:26 PM Vishnu Middela <
vishnu_midd...@ao.uscourts.gov> wrote:
> Hi,
> Security team had raised concern on Log4j vulnerabilities for
> Apache Active MQ.
>
> Our current Apache Active MQ version is 5.15.8.
>
> Can you please let us know how we can avoid these Log4J vulnerabilities.
>
> Also below is the sample report attached.
>
> Plugin Output:
> Path : /app01/apachemq/HermesJMS/lib/log4j-1.2.15.jar
> Installed version : 1.2.15
>
>
>
> Path :
> /app01/apachemq/nyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/nyed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/nynd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/nysd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/nceb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/ncwb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/njb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/njd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/ohnd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/ohsb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/ohsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/almd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/ctd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/dcb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/kyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/kywb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/kywd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/paed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/pawb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/pawd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/rid/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/tned/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/vtd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/wvnb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
>
>
>
> Path :
> /app01/apachemq/wvsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> Installed version : 1.2.17
> According to its self-reported version number, the installation of
> Apache Log4j on the remote host is 1.x and is no longer supported.
> Log4j reached its end of life prior to 2016. Additionally, Log4j 1.x
> is affected by multiple vulnerabilities, including :
>
> - Log4j includes a SocketServer that accepts serialized log events and
> deserializes them without verifying whether the objects are allowed or
> not. This can provide an attack vector that can be exploited.
> (CVE-2019-17571)
>
> - Improper validation of certificate with host mismatch in Apache Log4j
> SMTP appender. This could allow an SMTPS connection to be intercepted
> by a man-in-the-middle attack which could leak any log messages sent
> through that appender. (CVE-2020-9488)
>
> - JMSSink uses JNDI in an unprotected manner allowing any application
> using the JMSSink to be vulnerable if it is configured to reference an
> untrusted site or if the site referenced can be accesseed by the attacker.
> (CVE-2022-23302)
>
> Lack of support implies that no new security patches for the product
> will be released by the vendor. As a result, it is likely to contain
> security vulnerabilities.
> Apache Log4j 1.x Multiple Vulnerabilities
>
>
>
> Thanks & Regards
> Vishnu Middela
>
>
CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary. Exercise
caution when opening attachments or clicking on links.
