Srinivasa Yadlapalli created AMQ-8449:
-----------------------------------------
Summary: apache-activemq-5.16.3 - How to upgrade Log4j 1.x to
Log4J 2.x to fix log4j related security issue
Key: AMQ-8449
URL: https://issues.apache.org/jira/browse/AMQ-8449
Project: ActiveMQ
Issue Type: Bug
Components: AMQP
Affects Versions: 5.16.3
Reporter: Srinivasa Yadlapalli
Fix For: 5.16.3
he log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to
Deserialization of Untrusted Data. The configureHierarchy and genericHierarchy
methods in SocketServer.class do not verify if the file at a given file path
contains any untrusted objects prior to deserializing them. A remote attacker
can exploit this vulnerability by providing a path to crafted files, which
result in arbitrary code execution when deserialized.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
