Just show the log4j2 cve list to that customer, and persuade him no hurry to migrate.
XenoAmess ________________________________ From: JB Onofré <j...@nanthrax.net> Sent: Monday, January 3, 2022 11:31:30 PM To: dev@activemq.apache.org <dev@activemq.apache.org> Subject: Re: ActiveMQ 5.17 and log4j2 About 5.16 no way: it’s log4j 1.x And log4j 1.x is not impacted by log4shell vulnerability so no need to update. Regards JB > Le 3 janv. 2022 à 16:00, Laurent Blanquet <lblanq...@b2btechno.net> a écrit : > > Hi Guys, > > It seems that the latest version available is still using log4j 1.2.17. > > Unfortunately we have a customer who has a strong requisite to migrate to > log4j2 before 10 of January ! > > Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j > 2.17 ? > > Regards, > > Laurent
