Your screenshot didn't make it through.
Justin On Mon, Jan 29, 2024 at 7:06 PM Vishnu Middela < vishnu_midd...@ao.uscourts.gov> wrote: > Hi Justin, > > I don’t see anything in the logs either.. > > > > > > > > > > Thanks & Regards > > Vishnu Middela > > > > -----Original Message----- > From: Justin Bertram <jbert...@apache.org> > Sent: Monday, January 29, 2024 7:47 PM > To: users@activemq.apache.org > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ > classic version upgrade > > > > CAUTION - EXTERNAL: > > > > > > Your output doesn't indicate any problems. Everything looks normal as far > as I can tell. This is the same output I see when I execute "activemq > start" on a default instance of ActiveMQ Classic 5.18.3. > > > > I recommend you check the output in data/activemq.log to see if the broker > started up properly. > > > > > > Justin > > > > On Mon, Jan 29, 2024 at 5:50 PM Vishnu Middela < > vishnu_midd...@ao.uscourts.gov> wrote: > > > > > Hi, > > > Attached are the steps that are followed to upgrade ApacheMQ > > > classic from 5.15.8 to 5.18.3 > > > > > > Only message I see is as below after trying to start activemq. Please > > > let me know if I missed any steps and how to debug this issue. > > > > > > [bodi@aoedw-e-app3009 bin]$ ./activemq start > > > INFO: Loading '/app01/apachemq/tc6v/apache-activemq-5.18.3//bin/env' > > > INFO: Using java '/usr/bin/java' > > > INFO: Starting - inspect logfiles specified in logging.properties and > > > log4j2.properties to get details > > > INFO: pidfile created : > > > '/app01/apachemq/tc6v/apache-activemq-5.18.3//data/activemq.pid' (pid > > > '18302') > > > > > > Thanks & Regards > > > Vishnu Middela > > > > > > -----Original Message----- > > > From: Justin Bertram <jbert...@apache.org> > > > Sent: Tuesday, January 16, 2024 1:43 PM > > > To: users@activemq.apache.org > > > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities > > > > > > CAUTION - EXTERNAL: > > > > > > > > > ActiveMQ Classic 5.15.8 was released in early 2019, almost 5 years ago > now. > > > Since then, in part to deal with security issues, the logging > > > implementation changed to Reload4j and then eventually to Log4j 2. The > > > best way you can mitigate security issues is to stay up-to-date. I > > > strongly recommend you migrate to the latest release of ActiveMQ > > > Classic 5.x which is 5.18.3 [2]. > > > > > > If you don't want to or can't upgrade for some reason then you can > > > remove log4j-1.2.17.jar and drop in reload4j-1.2.25.jar [3] as it was > > > designed to be binary compatible. That will resolve CVE-2019-17571, > > > CVE-2020-9488, & CVE-2022-23302. > > > > > > > > > Justin > > > > > > [1] https://reload4j.qos.ch/ > > > [2] https://activemq.apache.org/components/classic/download/ > > > [3] > > > > > > https://repo1.maven.org/maven2/ch/qos/reload4j/reload4j/1.2.25/reload4 > > > j-1.2.25.jar > > > > > > On Tue, Jan 16, 2024 at 12:26 PM Vishnu Middela < > > > vishnu_midd...@ao.uscourts.gov> wrote: > > > > > > > Hi, > > > > Security team had raised concern on Log4j vulnerabilities > > > > for Apache Active MQ. > > > > > > > > Our current Apache Active MQ version is 5.15.8. > > > > > > > > Can you please let us know how we can avoid these Log4J > vulnerabilities. > > > > > > > > Also below is the sample report attached. > > > > > > > > Plugin Output: > > > > Path : /app01/apachemq/HermesJMS/lib/log4j-1.2.15.jar > > > > Installed version : 1.2.15 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/nyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/nyed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/nynd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/nysd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/nceb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/ncwb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/njb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/njd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/ohnd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/ohsb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/ohsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/almd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > /app01/apachemq/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/ctd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/dcb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/kyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/kywb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/kywd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/paed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/pawb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/pawd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/rid/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/tned/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/vtd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/wvnb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/wvsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > According to its self-reported version number, the installation of > > > > Apache Log4j on the remote host is 1.x and is no longer supported. > > > > Log4j reached its end of life prior to 2016. Additionally, Log4j 1.x > > > > is affected by multiple vulnerabilities, including : > > > > > > > > - Log4j includes a SocketServer that accepts serialized log events > and > > > > deserializes them without verifying whether the objects are allowed > > > or > > > > not. This can provide an attack vector that can be exploited. > > > > (CVE-2019-17571) > > > > > > > > - Improper validation of certificate with host mismatch in Apache > Log4j > > > > SMTP appender. This could allow an SMTPS connection to be > intercepted > > > > by a man-in-the-middle attack which could leak any log messages sent > > > > through that appender. (CVE-2020-9488) > > > > > > > > - JMSSink uses JNDI in an unprotected manner allowing any application > > > > using the JMSSink to be vulnerable if it is configured to reference > > > an > > > > untrusted site or if the site referenced can be accesseed by the > > > attacker. > > > > (CVE-2022-23302) > > > > > > > > Lack of support implies that no new security patches for the product > > > > will be released by the vendor. As a result, it is likely to contain > > > > security vulnerabilities. > > > > Apache Log4j 1.x Multiple Vulnerabilities > > > > > > > > > > > > > > > > Thanks & Regards > > > > Vishnu Middela > > > > > > > > > > > CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary. > > > Exercise caution when opening attachments or clicking on links. > > > > > > > > CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary. > Exercise caution when opening attachments or clicking on links. > > >
