Aman Mishra created AMQ-8430:
--------------------------------
Summary: Log4j 1.2.17 is being used in activemq-all :
[CVE-2021-44228] [log4j] [1.2.17]
Key: AMQ-8430
URL: https://issues.apache.org/jira/browse/AMQ-8430
Project: ActiveMQ
Issue Type: Bug
Components: AMQP
Affects Versions: 5.16.3
Reporter: Aman Mishra
*Aqua Description :* Apache Log4j2 <=2.14.1 JNDI features used in
configuration, log messages, and parameters do not protect against attacker
controlled LDAP and other JNDI related endpoints. An attacker who can control
log messages or log message parameters can execute arbitrary code loaded from
LDAP servers when message lookup substitution is enabled. From log4j 2.15.0,
this behavior has been disabled by default. In previous releases (>2.10) this
behavior can be mitigated by setting system property
"log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from
the classpath (example: zip {-}q -d log4j-core{-}*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see
[https://www.oracle.com/java/technologies/javase/8u121-relnotes.html]) protects
against remote code execution by defaulting
"com.sun.jndi.rmi.object.trustURLCodebase" and
"com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
