[
https://issues.apache.org/jira/browse/AMQ-8430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458358#comment-17458358
]
Aman Mishra commented on AMQ-8430:
----------------------------------
I have found the occurrence of log4j 1.2.17 in
[https://repo1.maven.org/maven2/org/apache/activemq/activemq-all/5.16.3/activemq-all-5.16.3.pom]
So, anybody from activemq side can confirm that where we are upgrading this
complete occurrence of log4j1.2.17 ?
> Log4j 1.2.17 is being used in activemq-all - 5.16.3 : [CVE-2021-44228]
> [log4j] [1.2.17]
> ----------------------------------------------------------------------------------------
>
> Key: AMQ-8430
> URL: https://issues.apache.org/jira/browse/AMQ-8430
> Project: ActiveMQ
> Issue Type: Bug
> Components: AMQP
> Affects Versions: 5.16.3
> Reporter: Aman Mishra
> Priority: Critical
>
> *Aqua Description :* Apache Log4j2 <=2.14.1 JNDI features used in
> configuration, log messages, and parameters do not protect against attacker
> controlled LDAP and other JNDI related endpoints. An attacker who can control
> log messages or log message parameters can execute arbitrary code loaded from
> LDAP servers when message lookup substitution is enabled. From log4j 2.15.0,
> this behavior has been disabled by default. In previous releases (>2.10) this
> behavior can be mitigated by setting system property
> "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class
> from the classpath (example: zip {-}q -d log4j-core{-}*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see
> [https://www.oracle.com/java/technologies/javase/8u121-relnotes.html])
> protects against remote code execution by defaulting
> "com.sun.jndi.rmi.object.trustURLCodebase" and
> "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
