[
https://issues.apache.org/jira/browse/AMQ-8430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Justin Bertram closed AMQ-8430.
-------------------------------
Resolution: Information Provided
See https://activemq.apache.org/news/cve-2021-44228.
In the future please direct questions/discussions like this to the [ActiveMQ
Users mailing list|https://activemq.apache.org/contact].
> Log4j 1.2.17 is being used in activemq-all - 5.16.3 : [CVE-2021-44228]
> [log4j] [1.2.17]
> ----------------------------------------------------------------------------------------
>
> Key: AMQ-8430
> URL: https://issues.apache.org/jira/browse/AMQ-8430
> Project: ActiveMQ
> Issue Type: Bug
> Components: AMQP
> Affects Versions: 5.16.3
> Reporter: Aman Mishra
> Priority: Critical
>
> *Aqua Description :* Apache Log4j2 <=2.14.1 JNDI features used in
> configuration, log messages, and parameters do not protect against attacker
> controlled LDAP and other JNDI related endpoints. An attacker who can control
> log messages or log message parameters can execute arbitrary code loaded from
> LDAP servers when message lookup substitution is enabled. From log4j 2.15.0,
> this behavior has been disabled by default. In previous releases (>2.10) this
> behavior can be mitigated by setting system property
> "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class
> from the classpath (example: zip {-}q -d log4j-core{-}*.jar
> org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see
> [https://www.oracle.com/java/technologies/javase/8u121-relnotes.html])
> protects against remote code execution by defaulting
> "com.sun.jndi.rmi.object.trustURLCodebase" and
> "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
