[
https://issues.apache.org/jira/browse/AMQ-8430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458336#comment-17458336
]
David commented on AMQ-8430:
----------------------------
log4j is only found under ./lib/optional. Per default it should use slf4j and
not log4j as far as I figured it out. Could anybody confirm that?
> Log4j 1.2.17 is being used in activemq-all : [CVE-2021-44228] [log4j]
> [1.2.17]
> -------------------------------------------------------------------------------
>
> Key: AMQ-8430
> URL: https://issues.apache.org/jira/browse/AMQ-8430
> Project: ActiveMQ
> Issue Type: Bug
> Components: AMQP
> Affects Versions: 5.16.3
> Reporter: Aman Mishra
> Priority: Critical
>
> *Aqua Description :* Apache Log4j2 <=2.14.1 JNDI features used in
> configuration, log messages, and parameters do not protect against attacker
> controlled LDAP and other JNDI related endpoints. An attacker who can control
> log messages or log message parameters can execute arbitrary code loaded from
> LDAP servers when message lookup substitution is enabled. From log4j 2.15.0,
> this behavior has been disabled by default. In previous releases (>2.10) this
> behavior can be mitigated by setting system property
> "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class
> from the classpath (example: zip {-}q -d log4j-core{-}*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see
> [https://www.oracle.com/java/technologies/javase/8u121-relnotes.html])
> protects against remote code execution by defaulting
> "com.sun.jndi.rmi.object.trustURLCodebase" and
> "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
