Hi Justin,
I don’t see anything in the logs either..
[cid:image001.png@01DA52EE.83A2A760]
Thanks & Regards
Vishnu Middela
-----Original Message-----
From: Justin Bertram <jbert...@apache.org<mailto:m...@apache.org>>
Sent: Monday, January 29, 2024 7:47 PM
To: users@activemq.apache.org<mailto:users@activemq.apache.org>
Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic
version upgrade
CAUTION - EXTERNAL:
Your output doesn't indicate any problems. Everything looks normal as far as I
can tell. This is the same output I see when I execute "activemq start" on a
default instance of ActiveMQ Classic 5.18.3.
I recommend you check the output in data/activemq.log to see if the broker
started up properly.
Justin
On Mon, Jan 29, 2024 at 5:50 PM Vishnu Middela <
vishnu_midd...@ao.uscourts.gov<mailto:vishnu_midd...@ao.uscourts.gov>> wrote:
> Hi,
> Attached are the steps that are followed to upgrade ApacheMQ
> classic from 5.15.8 to 5.18.3
>
> Only message I see is as below after trying to start activemq. Please
> let me know if I missed any steps and how to debug this issue.
>
> [bodi@aoedw-e-app3009 bin]$ ./activemq start
> INFO: Loading '/app01/apachemq/tc6v/apache-activemq-5.18.3//bin/env'
> INFO: Using java '/usr/bin/java'
> INFO: Starting - inspect logfiles specified in logging.properties and
> log4j2.properties to get details
> INFO: pidfile created :
> '/app01/apachemq/tc6v/apache-activemq-5.18.3//data/activemq.pid' (pid
> '18302')
>
> Thanks & Regards
> Vishnu Middela
>
> -----Original Message-----
> From: Justin Bertram <jbert...@apache.org<mailto:jbert...@apache.org>>
> Sent: Tuesday, January 16, 2024 1:43 PM
> To: users@activemq.apache.org<mailto:users@activemq.apache.org>
> Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities
>
> CAUTION - EXTERNAL:
>
>
> ActiveMQ Classic 5.15.8 was released in early 2019, almost 5 years ago now.
> Since then, in part to deal with security issues, the logging
> implementation changed to Reload4j and then eventually to Log4j 2. The
> best way you can mitigate security issues is to stay up-to-date. I
> strongly recommend you migrate to the latest release of ActiveMQ
> Classic 5.x which is 5.18.3 [2].
>
> If you don't want to or can't upgrade for some reason then you can
> remove log4j-1.2.17.jar and drop in reload4j-1.2.25.jar [3] as it was
> designed to be binary compatible. That will resolve CVE-2019-17571,
> CVE-2020-9488, & CVE-2022-23302.
>
>
> Justin
>
> [1] https://reload4j.qos.ch/
> [2] https://activemq.apache.org/components/classic/download/
> [3]
>
> https://repo1.maven.org/maven2/ch/qos/reload4j/reload4j/1.2.25/reload4
> j-1.2.25.jar
>
> On Tue, Jan 16, 2024 at 12:26 PM Vishnu Middela <
> vishnu_midd...@ao.uscourts.gov<mailto:vishnu_midd...@ao.uscourts.gov>> wrote:
>
> > Hi,
> > Security team had raised concern on Log4j vulnerabilities
> > for Apache Active MQ.
> >
> > Our current Apache Active MQ version is 5.15.8.
> >
> > Can you please let us know how we can avoid these Log4J vulnerabilities.
> >
> > Also below is the sample report attached.
> >
> > Plugin Output:
> > Path : /app01/apachemq/HermesJMS/lib/log4j-1.2.15.jar
> > Installed version : 1.2.15
> >
> >
> >
> > Path :
> > /app01/apachemq/nyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/nyed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/nynd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/nysd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/nceb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/ncwb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/njb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/njd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/ohnd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/ohsb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/ohsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/almd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/ctd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/dcb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/kyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/kywb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/kywd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/paed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/pawb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/pawd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/rid/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/tned/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/vtd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/wvnb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> >
> >
> >
> > Path :
> > /app01/apachemq/wvsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar
> > Installed version : 1.2.17
> > According to its self-reported version number, the installation of
> > Apache Log4j on the remote host is 1.x and is no longer supported.
> > Log4j reached its end of life prior to 2016. Additionally, Log4j 1.x
> > is affected by multiple vulnerabilities, including :
> >
> > - Log4j includes a SocketServer that accepts serialized log events and
> > deserializes them without verifying whether the objects are allowed
> or
> > not. This can provide an attack vector that can be exploited.
> > (CVE-2019-17571)
> >
> > - Improper validation of certificate with host mismatch in Apache Log4j
> > SMTP appender. This could allow an SMTPS connection to be intercepted
> > by a man-in-the-middle attack which could leak any log messages sent
> > through that appender. (CVE-2020-9488)
> >
> > - JMSSink uses JNDI in an unprotected manner allowing any application
> > using the JMSSink to be vulnerable if it is configured to reference
> an
> > untrusted site or if the site referenced can be accesseed by the
> attacker.
> > (CVE-2022-23302)
> >
> > Lack of support implies that no new security patches for the product
> > will be released by the vendor. As a result, it is likely to contain
> > security vulnerabilities.
> > Apache Log4j 1.x Multiple Vulnerabilities
> >
> >
> >
> > Thanks & Regards
> > Vishnu Middela
> >
> >
> CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary.
> Exercise caution when opening attachments or clicking on links.
>
>
CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary. Exercise
caution when opening attachments or clicking on links.
