[
https://issues.apache.org/jira/browse/AMQ-8449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Srinivasa Yadlapalli updated AMQ-8449:
--------------------------------------
Description:
log4j-1.2.17.1.jar file exists in "apache-activemq-5.16.3\lib\optional" folder
which was flagged by security team for vulnerability issue...
Please advice how to upgrade this to the latest log4j 2.x to fix vulnerability
issues.
The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to
Deserialization of Untrusted Data. The configureHierarchy and genericHierarchy
methods in SocketServer.class do not verify if the file at a given file path
contains any untrusted objects prior to deserializing them. A remote attacker
can exploit this vulnerability by providing a path to crafted files, which
result in arbitrary code execution when deserialized.
was:he log4j:log4j package is vulnerable to Remote Code Execution (RCE) due
to Deserialization of Untrusted Data. The configureHierarchy and
genericHierarchy methods in SocketServer.class do not verify if the file at a
given file path contains any untrusted objects prior to deserializing them. A
remote attacker can exploit this vulnerability by providing a path to crafted
files, which result in arbitrary code execution when deserialized.
Environment:
log4j-1.2.17.1.jar file exists in "apache-activemq-5.16.3\lib\optional" folder
which was flagged by security team for vulnerability issue...
Please advice how to upgrade this to the latest log4j 2.x to fix vulnerability
issues.
Summary: apache-activemq-5.16.3 - How to upgrade Log4j-1.2.17.1 to
Log4J 2.x to fix log4j related security issue (was: apache-activemq-5.16.3 -
How to upgrade Log4j 1.x to Log4J 2.x to fix log4j related security issue)
> apache-activemq-5.16.3 - How to upgrade Log4j-1.2.17.1 to Log4J 2.x to fix
> log4j related security issue
> -------------------------------------------------------------------------------------------------------
>
> Key: AMQ-8449
> URL: https://issues.apache.org/jira/browse/AMQ-8449
> Project: ActiveMQ
> Issue Type: Bug
> Components: AMQP
> Affects Versions: 5.16.3
> Environment: log4j-1.2.17.1.jar file exists in
> "apache-activemq-5.16.3\lib\optional" folder which was flagged by security
> team for vulnerability issue...
> Please advice how to upgrade this to the latest log4j 2.x to fix
> vulnerability issues.
> Reporter: Srinivasa Yadlapalli
> Priority: Critical
> Fix For: 5.16.3
>
>
> log4j-1.2.17.1.jar file exists in "apache-activemq-5.16.3\lib\optional"
> folder which was flagged by security team for vulnerability issue...
> Please advice how to upgrade this to the latest log4j 2.x to fix
> vulnerability issues.
> The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to
> Deserialization of Untrusted Data. The configureHierarchy and
> genericHierarchy methods in SocketServer.class do not verify if the file at a
> given file path contains any untrusted objects prior to deserializing them. A
> remote attacker can exploit this vulnerability by providing a path to crafted
> files, which result in arbitrary code execution when deserialized.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
