5.18 requires Java 11+ (https://activemq.apache.org/activemq-5018003-release). 5.16.x is the latest version that supports Java 8. I think 5.16.x includes fixes for the various log4j issues.
> -----Original Message----- > From: Vishnu Middela <vishnu_midd...@ao.uscourts.gov> > Sent: Wednesday, January 31, 2024 2:13 PM > To: users@activemq.apache.org > Subject: RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ > classic version upgrade > > IFS Security Notice - External Email - Don't be too quick to click! > Think carefully before clicking on links or attachments. Never provide User ID > or Passwords. Report any suspicious emails using the ‘Report Phishing’ > button. > > > Hi, > Current Java version we have on our system is as below, does this > needs > to be upgraded too for ApacheMQ classic 5.18.3 to be up and running > > /app01/apachemq/apache-activemq-5.18.3/bin > [bodi@aoedw-e-app3009 bin]$ java -version openjdk version "1.8.0_392" > OpenJDK Runtime Environment (build 1.8.0_392-b08) OpenJDK 64-Bit Server > VM (build 25.392-b08, mixed mode) > > Thanks & Regards > Vishnu Middela > > -----Original Message----- > From: Vishnu Middela <vishnu_midd...@ao.uscourts.gov> > Sent: Tuesday, January 30, 2024 7:15 AM > To: users@activemq.apache.org > Subject: RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ > classic version upgrade > > HI, > Below is the confirmation that activemq.log being empty.. > > > -rwx------. 1 bodi bodi 0 Oct 24 15:32 activemq.log > drwx------. 2 bodi bodi 4096 Jan 29 17:31 kahadb > -rw-------. 1 bodi bodi 4 Jan 29 20:02 activemq.pid > [bodi@aoedw-e-app3009 data]$ cat activemq.log > [bodi@aoedw-e-app3009 data]$ > > > Re iterating the steps followed for upgrade from 5.14.5 to 5.18.3 > > 1. Stop the ActiveMQ server process > > [bodi@aoedw-e-app3009 bin]$ ./activemq stop > > 2.Extract new ActiveMQ release > > -rw-------. 1 bodi bodi 49549502 Jan 25 15:19 apache-activemq-5.18.3- > bin.tar.gz > drwx------. 12 bodi bodi 220 Jan 29 17:02 apache-activemq-5.14.5 > [bodi@aoedw-e-app3009 tc6v]$ tar zxvf apache-activemq-5.18.3-bin.tar.gz > > 3. Copy any config files from the old conf folder > > Copy ActiveMQ broker configuration file > > [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache- > activemq-5.14.5/conf/activemq.xml /app01/apachemq/tc6v/apache- > activemq-5.18.3/conf > > Copy users, groups and passwords > > [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache- > activemq-5.14.5/conf/users.properties /app01/apachemq/tc6v/apache- > activemq-5.18.3/conf > > Copy below two jetty files > > [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache- > activemq-5.14.5/conf/jetty.xml /app01/apachemq/tc6v/apache-activemq- > 5.18.3/conf > [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache- > activemq-5.14.5/conf/jetty-realm.properties > /app01/apachemq/tc6v/apache-activemq-5.18.3/conf > > 4.Copy Environment file from old to new folder > > cp /app01/apachemq/tc6v/apache-activemq-5.14.5/bin/env > /app01/apachemq/tc6v/apache-activemq-5.18.3/bin > > 5. Copy kahadb folder over to recover any messages > > [bodi@aoedw-e-app3009 data]$ cp -r /app01/apachemq/tc6v/apache- > activemq-5.14.5/data/kahadb /app01/apachemq/tc6v/apache-activemq- > 5.18.3/data > > 6. Start ActiveMQ > > [bodi@aoedw-e-app3009 bin]$ ./activemq start > > > Thanks & Regards > Vishnu Middela > > -----Original Message----- > From: Justin Bertram <jbert...@apache.org> > Sent: Monday, January 29, 2024 9:18 PM > To: users@activemq.apache.org > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ > classic version upgrade > > CAUTION - EXTERNAL: > > > Your screenshot didn't make it through. > > > Justin > > > On Mon, Jan 29, 2024 at 7:06 PM Vishnu Middela < > vishnu_midd...@ao.uscourts.gov> wrote: > > > Hi Justin, > > > > I don’t see anything in the logs either.. > > > > > > > > > > > > > > > > > > > > Thanks & Regards > > > > Vishnu Middela > > > > > > > > -----Original Message----- > > From: Justin Bertram <jbert...@apache.org> > > Sent: Monday, January 29, 2024 7:47 PM > > To: users@activemq.apache.org > > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache > > ActiveMQ classic version upgrade > > > > > > > > CAUTION - EXTERNAL: > > > > > > > > > > > > Your output doesn't indicate any problems. Everything looks normal as > > far as I can tell. This is the same output I see when I execute > > "activemq start" on a default instance of ActiveMQ Classic 5.18.3. > > > > > > > > I recommend you check the output in data/activemq.log to see if the > > broker started up properly. > > > > > > > > > > > > Justin > > > > > > > > On Mon, Jan 29, 2024 at 5:50 PM Vishnu Middela < > > vishnu_midd...@ao.uscourts.gov> wrote: > > > > > > > > > Hi, > > > > > Attached are the steps that are followed to upgrade > > > ApacheMQ > > > > > classic from 5.15.8 to 5.18.3 > > > > > > > > > > Only message I see is as below after trying to start activemq. > > > Please > > > > > let me know if I missed any steps and how to debug this issue. > > > > > > > > > > [bodi@aoedw-e-app3009 bin]$ ./activemq start > > > > > INFO: Loading '/app01/apachemq/tc6v/apache-activemq- > 5.18.3//bin/env' > > > > > INFO: Using java '/usr/bin/java' > > > > > INFO: Starting - inspect logfiles specified in logging.properties > > > and > > > > > log4j2.properties to get details > > > > > INFO: pidfile created : > > > > > '/app01/apachemq/tc6v/apache-activemq-5.18.3//data/activemq.pid' > > > (pid > > > > > '18302') > > > > > > > > > > Thanks & Regards > > > > > Vishnu Middela > > > > > > > > > > -----Original Message----- > > > > > From: Justin Bertram <jbert...@apache.org> > > > > > Sent: Tuesday, January 16, 2024 1:43 PM > > > > > To: users@activemq.apache.org > > > > > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities > > > > > > > > > > CAUTION - EXTERNAL: > > > > > > > > > > > > > > > ActiveMQ Classic 5.15.8 was released in early 2019, almost 5 years > > > ago > > now. > > > > > Since then, in part to deal with security issues, the logging > > > > > implementation changed to Reload4j and then eventually to Log4j 2. > > > The > > > > > best way you can mitigate security issues is to stay up-to-date. I > > > > > strongly recommend you migrate to the latest release of ActiveMQ > > > > > Classic 5.x which is 5.18.3 [2]. > > > > > > > > > > If you don't want to or can't upgrade for some reason then you can > > > > > remove log4j-1.2.17.jar and drop in reload4j-1.2.25.jar [3] as it > > > was > > > > > designed to be binary compatible. That will resolve CVE-2019-17571, > > > > > CVE-2020-9488, & CVE-2022-23302. > > > > > > > > > > > > > > > Justin > > > > > > > > > > [1] https://reload4j.qos.ch/ > > > > > [2] https://activemq.apache.org/components/classic/download/ > > > > > [3] > > > > > > > > > > > https://repo1.maven.org/maven2/ch/qos/reload4j/reload4j/1.2.25/reloa > > > d4 > > > > > j-1.2.25.jar > > > > > > > > > > On Tue, Jan 16, 2024 at 12:26 PM Vishnu Middela < > > > > > vishnu_midd...@ao.uscourts.gov> wrote: > > > > > > > > > > > Hi, > > > > > > Security team had raised concern on Log4j vulnerabilities > > > > > > for Apache Active MQ. > > > > > > > > > > > > Our current Apache Active MQ version is 5.15.8. > > > > > > > > > > > > Can you please let us know how we can avoid these Log4J > > vulnerabilities. > > > > > > > > > > > > Also below is the sample report attached. > > > > > > > > > > > > Plugin Output: > > > > > > Path : /app01/apachemq/HermesJMS/lib/log4j-1.2.15.jar > > > > > > Installed version : 1.2.15 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/nyeb/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/nyed/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/nynd/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/nysd/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/nceb/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/ncwb/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/njb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j > > ar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/njd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j > > ar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/ohnd/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/ohsb/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/ohsd/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/almd/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > /app01/apachemq/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j > > > > ar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/ctd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j > > ar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/dcb/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17.j > > ar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/kyeb/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/kywb/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/kywd/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/paed/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/pawb/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/pawd/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/rid/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j > > ar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/tned/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/vtd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j > > ar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/wvnb/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > > > > > > > > > Path : > > > > > > > > /app01/apachemq/wvsd/apache-activemq-5.15.8/lib/optional/log4j- > 1.2.17. > > jar > > > > > > Installed version : 1.2.17 > > > > > > According to its self-reported version number, the installation of > > > > > > Apache Log4j on the remote host is 1.x and is no longer supported. > > > > > > Log4j reached its end of life prior to 2016. Additionally, Log4j > > > > 1.x > > > > > > is affected by multiple vulnerabilities, including : > > > > > > > > > > > > - Log4j includes a SocketServer that accepts serialized log > > > > events > > and > > > > > > deserializes them without verifying whether the objects are allowed > > > > > or > > > > > > not. This can provide an attack vector that can be exploited. > > > > > > (CVE-2019-17571) > > > > > > > > > > > > - Improper validation of certificate with host mismatch in > > > > Apache > > Log4j > > > > > > SMTP appender. This could allow an SMTPS connection to be > > intercepted > > > > > > by a man-in-the-middle attack which could leak any log messages > > > > sent > > > > > > through that appender. (CVE-2020-9488) > > > > > > > > > > > > - JMSSink uses JNDI in an unprotected manner allowing any > > > > application > > > > > > using the JMSSink to be vulnerable if it is configured to reference > > > > > an > > > > > > untrusted site or if the site referenced can be accesseed by the > > > > > attacker. > > > > > > (CVE-2022-23302) > > > > > > > > > > > > Lack of support implies that no new security patches for the > > > > product > > > > > > will be released by the vendor. As a result, it is likely to > > > > contain > > > > > > security vulnerabilities. > > > > > > Apache Log4j 1.x Multiple Vulnerabilities > > > > > > > > > > > > > > > > > > > > > > > > Thanks & Regards > > > > > > Vishnu Middela > > > > > > > > > > > > > > > > > CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary. > > > > > Exercise caution when opening attachments or clicking on links. > > > > > > > > > > > > > > CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary. > > Exercise caution when opening attachments or clicking on links. > > > > > > > CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary. > Exercise caution when opening attachments or clicking on links. ________________________________ Confidentiality notice and disclaimer This e-mail is private and may contain confidential information. You must not use, disclose, or retain any of its content if you have received it in error: please notify its sender and then delete it. Any views or opinions expressed in this e-mail are strictly those of its author. We do not accept liability for the consequences of any data corruption, interception, tampering, or virus.
