Hi,
Current Java version we have on our system is as below, does this
needs to be upgraded too for ApacheMQ classic 5.18.3 to be up and running
/app01/apachemq/apache-activemq-5.18.3/bin
[bodi@aoedw-e-app3009 bin]$ java -version
openjdk version "1.8.0_392"
OpenJDK Runtime Environment (build 1.8.0_392-b08)
OpenJDK 64-Bit Server VM (build 25.392-b08, mixed mode)
Thanks & Regards
Vishnu Middela
-----Original Message-----
From: Vishnu Middela <vishnu_midd...@ao.uscourts.gov>
Sent: Tuesday, January 30, 2024 7:15 AM
To: users@activemq.apache.org
Subject: RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic
version upgrade
HI,
Below is the confirmation that activemq.log being empty..
-rwx------. 1 bodi bodi 0 Oct 24 15:32 activemq.log
drwx------. 2 bodi bodi 4096 Jan 29 17:31 kahadb
-rw-------. 1 bodi bodi 4 Jan 29 20:02 activemq.pid
[bodi@aoedw-e-app3009 data]$ cat activemq.log
[bodi@aoedw-e-app3009 data]$
Re iterating the steps followed for upgrade from 5.14.5 to 5.18.3
1. Stop the ActiveMQ server process
[bodi@aoedw-e-app3009 bin]$ ./activemq stop
2.Extract new ActiveMQ release
-rw-------. 1 bodi bodi 49549502 Jan 25 15:19 apache-activemq-5.18.3-bin.tar.gz
drwx------. 12 bodi bodi 220 Jan 29 17:02 apache-activemq-5.14.5
[bodi@aoedw-e-app3009 tc6v]$ tar zxvf apache-activemq-5.18.3-bin.tar.gz
3. Copy any config files from the old conf folder
Copy ActiveMQ broker configuration file
[bodi@aoedw-e-app3009 conf]$ cp
/app01/apachemq/tc6v/apache-activemq-5.14.5/conf/activemq.xml
/app01/apachemq/tc6v/apache-activemq-5.18.3/conf
Copy users, groups and passwords
[bodi@aoedw-e-app3009 conf]$ cp
/app01/apachemq/tc6v/apache-activemq-5.14.5/conf/users.properties
/app01/apachemq/tc6v/apache-activemq-5.18.3/conf
Copy below two jetty files
[bodi@aoedw-e-app3009 conf]$ cp
/app01/apachemq/tc6v/apache-activemq-5.14.5/conf/jetty.xml
/app01/apachemq/tc6v/apache-activemq-5.18.3/conf
[bodi@aoedw-e-app3009 conf]$ cp
/app01/apachemq/tc6v/apache-activemq-5.14.5/conf/jetty-realm.properties
/app01/apachemq/tc6v/apache-activemq-5.18.3/conf
4.Copy Environment file from old to new folder
cp /app01/apachemq/tc6v/apache-activemq-5.14.5/bin/env
/app01/apachemq/tc6v/apache-activemq-5.18.3/bin
5. Copy kahadb folder over to recover any messages
[bodi@aoedw-e-app3009 data]$ cp -r
/app01/apachemq/tc6v/apache-activemq-5.14.5/data/kahadb
/app01/apachemq/tc6v/apache-activemq-5.18.3/data
6. Start ActiveMQ
[bodi@aoedw-e-app3009 bin]$ ./activemq start
Thanks & Regards
Vishnu Middela
-----Original Message-----
From: Justin Bertram <jbert...@apache.org>
Sent: Monday, January 29, 2024 9:18 PM
To: users@activemq.apache.org
Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic
version upgrade
CAUTION - EXTERNAL:
Your screenshot didn't make it through.
Justin
On Mon, Jan 29, 2024 at 7:06 PM Vishnu Middela <
vishnu_midd...@ao.uscourts.gov> wrote:
> Hi Justin,
>
> I don’t see anything in the logs either..
>
>
>
>
>
>
>
>
>
> Thanks & Regards
>
> Vishnu Middela
>
>
>
> -----Original Message-----
> From: Justin Bertram <jbert...@apache.org>
> Sent: Monday, January 29, 2024 7:47 PM
> To: users@activemq.apache.org
> Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache
> ActiveMQ classic version upgrade
>
>
>
> CAUTION - EXTERNAL:
>
>
>
>
>
> Your output doesn't indicate any problems. Everything looks normal as
> far as I can tell. This is the same output I see when I execute
> "activemq start" on a default instance of ActiveMQ Classic 5.18.3.
>
>
>
> I recommend you check the output in data/activemq.log to see if the
> broker started up properly.
>
>
>
>
>
> Justin
>
>
>
> On Mon, Jan 29, 2024 at 5:50 PM Vishnu Middela <
> vishnu_midd...@ao.uscourts.gov> wrote:
>
>
>
> > Hi,
>
> > Attached are the steps that are followed to upgrade
> > ApacheMQ
>
> > classic from 5.15.8 to 5.18.3
>
> >
>
> > Only message I see is as below after trying to start activemq.
> > Please
>
> > let me know if I missed any steps and how to debug this issue.
>
> >
>
> > [bodi@aoedw-e-app3009 bin]$ ./activemq start
>
> > INFO: Loading '/app01/apachemq/tc6v/apache-activemq-5.18.3//bin/env'
>
> > INFO: Using java '/usr/bin/java'
>
> > INFO: Starting - inspect logfiles specified in logging.properties
> > and
>
> > log4j2.properties to get details
>
> > INFO: pidfile created :
>
> > '/app01/apachemq/tc6v/apache-activemq-5.18.3//data/activemq.pid'
> > (pid
>
> > '18302')
>
> >
>
> > Thanks & Regards
>
> > Vishnu Middela
>
> >
>
> > -----Original Message-----
>
> > From: Justin Bertram <jbert...@apache.org>
>
> > Sent: Tuesday, January 16, 2024 1:43 PM
>
> > To: users@activemq.apache.org
>
> > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities
>
> >
>
> > CAUTION - EXTERNAL:
>
> >
>
> >
>
> > ActiveMQ Classic 5.15.8 was released in early 2019, almost 5 years
> > ago
> now.
>
> > Since then, in part to deal with security issues, the logging
>
> > implementation changed to Reload4j and then eventually to Log4j 2.
> > The
>
> > best way you can mitigate security issues is to stay up-to-date. I
>
> > strongly recommend you migrate to the latest release of ActiveMQ
>
> > Classic 5.x which is 5.18.3 [2].
>
> >
>
> > If you don't want to or can't upgrade for some reason then you can
>
> > remove log4j-1.2.17.jar and drop in reload4j-1.2.25.jar [3] as it
> > was
>
> > designed to be binary compatible. That will resolve CVE-2019-17571,
>
> > CVE-2020-9488, & CVE-2022-23302.
>
> >
>
> >
>
> > Justin
>
> >
>
> > [1] https://reload4j.qos.ch/
>
> > [2] https://activemq.apache.org/components/classic/download/
>
> > [3]
>
> >
>
> > https://repo1.maven.org/maven2/ch/qos/reload4j/reload4j/1.2.25/reloa
> > d4
>
> > j-1.2.25.jar
>
> >
>
> > On Tue, Jan 16, 2024 at 12:26 PM Vishnu Middela <
>
> > vishnu_midd...@ao.uscourts.gov> wrote:
>
> >
>
> > > Hi,
>
> > > Security team had raised concern on Log4j vulnerabilities
>
> > > for Apache Active MQ.
>
> > >
>
> > > Our current Apache Active MQ version is 5.15.8.
>
> > >
>
> > > Can you please let us know how we can avoid these Log4J
> vulnerabilities.
>
> > >
>
> > > Also below is the sample report attached.
>
> > >
>
> > > Plugin Output:
>
> > > Path : /app01/apachemq/HermesJMS/lib/log4j-1.2.15.jar
>
> > > Installed version : 1.2.15
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/nyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/nyed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/nynd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/nysd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/nceb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/ncwb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/njb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j
> ar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/njd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j
> ar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/ohnd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/ohsb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/ohsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/almd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > > /app01/apachemq/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j
> > > ar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/ctd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j
> ar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/dcb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j
> ar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/kyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/kywb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/kywd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/paed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/pawb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/pawd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/rid/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j
> ar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/tned/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/vtd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j
> ar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/wvnb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > >
>
> > >
>
> > >
>
> > > Path :
>
> > >
> /app01/apachemq/wvsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.
> jar
>
> > > Installed version : 1.2.17
>
> > > According to its self-reported version number, the installation of
>
> > > Apache Log4j on the remote host is 1.x and is no longer supported.
>
> > > Log4j reached its end of life prior to 2016. Additionally, Log4j
> > > 1.x
>
> > > is affected by multiple vulnerabilities, including :
>
> > >
>
> > > - Log4j includes a SocketServer that accepts serialized log
> > > events
> and
>
> > > deserializes them without verifying whether the objects are allowed
>
> > or
>
> > > not. This can provide an attack vector that can be exploited.
>
> > > (CVE-2019-17571)
>
> > >
>
> > > - Improper validation of certificate with host mismatch in
> > > Apache
> Log4j
>
> > > SMTP appender. This could allow an SMTPS connection to be
> intercepted
>
> > > by a man-in-the-middle attack which could leak any log messages
> > > sent
>
> > > through that appender. (CVE-2020-9488)
>
> > >
>
> > > - JMSSink uses JNDI in an unprotected manner allowing any
> > > application
>
> > > using the JMSSink to be vulnerable if it is configured to reference
>
> > an
>
> > > untrusted site or if the site referenced can be accesseed by the
>
> > attacker.
>
> > > (CVE-2022-23302)
>
> > >
>
> > > Lack of support implies that no new security patches for the
> > > product
>
> > > will be released by the vendor. As a result, it is likely to
> > > contain
>
> > > security vulnerabilities.
>
> > > Apache Log4j 1.x Multiple Vulnerabilities
>
> > >
>
> > >
>
> > >
>
> > > Thanks & Regards
>
> > > Vishnu Middela
>
> > >
>
> > >
>
> > CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary.
>
> > Exercise caution when opening attachments or clicking on links.
>
> >
>
> >
>
> CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary.
> Exercise caution when opening attachments or clicking on links.
>
>
>
CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary. Exercise
caution when opening attachments or clicking on links.
