This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new dd8038f Automatic Site Publish by Buildbot
dd8038f is described below
commit dd8038fd8ae022a3359f5c0c3cbfad58897c9ebf
Author: buildbot <[email protected]>
AuthorDate: Thu Dec 16 18:05:29 2021 +0000
Automatic Site Publish by Buildbot
---
output/news/cve-2021-44228.html | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/output/news/cve-2021-44228.html b/output/news/cve-2021-44228.html
index 4bbe510..c58418c 100644
--- a/output/news/cve-2021-44228.html
+++ b/output/news/cve-2021-44228.html
@@ -93,11 +93,15 @@
<div class="col-12 main">
<p><a href="/news">News</a> > <a href="/news/cve-2021-44228">Update
on CVE-2021-44228</a></p>
+<h4 id="summary">Summary</h4>
+
<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228";>CVE-2021-44228</a> was
recently announced and it has caused quite a bit of traffic on the mailing
lists and in Jira from users curious about its impact on both ActiveMQ
“Classic” and Artemis. In short, <strong>CVE-2021-44228 has no impact on any
ActiveMQ broker</strong> because no ActiveMQ broker uses any version of Log4j2.
To reiterate, <strong>no action is required to mitigate
CVE-2021-44228</strong>.</p>
-<p>ActiveMQ “Classic” <em>does</em> use Log4j for logging, but the latest
versions (i.e. <a
href="https://activemq.apache.org/activemq-5015015-release";>5.15.15</a> and <a
href="https://activemq.apache.org/activemq-5016003-release";>5.16.3</a>) use
Log4j 1.2.17 which is not impacted by CVE-2021-44228. This version of Log4j has
been used since 5.7.0. The upcoming ActiveMQ <a
href="https://github.com/apache/activemq/tree/main";>5.17.0</a> <a
href="https://github.com/apache/activemq/pull/662";> [...]
+<h4 id="additional-details">Additional Details</h4>
+
+<p>ActiveMQ “Classic” <em>does</em> use Log4j for logging, but the latest
versions (i.e. <a
href="https://activemq.apache.org/activemq-5015015-release";>5.15.15</a> and <a
href="https://activemq.apache.org/activemq-5016003-release";>5.16.3</a>) use
Log4j 1.2.17 which is not impacted by CVE-2021-44228. This version of Log4j has
been used since 5.7.0. The upcoming ActiveMQ <a
href="https://github.com/apache/activemq/tree/main";>5.17.0</a> <a
href="https://github.com/apache/activemq/pull/662";> [...]
-<p>ActiveMQ Artemis <em>does not</em> use Log4j for logging. However, Log4j
1.2.17 is included in the Hawtio-based web console application archive (i.e.
<code class="language-plaintext
highlighter-rouge">web/console.war/WEB-INF/lib</code>). Although this version
of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be
updated so that the Log4j jar is no longer included in the web console
application archive.</p>
+<p>ActiveMQ Artemis <em>does not</em> use Log4j for logging. However, Log4j
1.2.17 is included in the Hawtio-based web console application archive (i.e.
<code class="language-plaintext
highlighter-rouge">web/console.war/WEB-INF/lib</code>). Although this version
of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be
updated so that the Log4j jar is no longer included in the web console
application archive. See <a
href="https://issues.apache.org/jira/browse/ARTEMIS- [...]
</div>
</div>
