[
https://issues.apache.org/jira/browse/AMQ-8449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17471860#comment-17471860
]
Swyrik Thupili commented on AMQ-8449:
-------------------------------------
[~jbonofre] Can you please let me know the general availability of Active MQ
5.17.x?
> apache-activemq-5.16.3 - How to upgrade Log4j-1.2.17.1 to Log4J 2.x to fix
> log4j related security issue
> -------------------------------------------------------------------------------------------------------
>
> Key: AMQ-8449
> URL: https://issues.apache.org/jira/browse/AMQ-8449
> Project: ActiveMQ
> Issue Type: Bug
> Components: AMQP
> Affects Versions: 5.16.3
> Environment: log4j-1.2.17.1.jar file exists in
> "apache-activemq-5.16.3\lib\optional" folder which was flagged by security
> team for vulnerability issue...
> Please advice how to upgrade this to the latest log4j 2.x to fix
> vulnerability issues.
> Reporter: Srinivasa Yadlapalli
> Priority: Critical
>
> log4j-1.2.17.1.jar file exists in "apache-activemq-5.16.3\lib\optional"
> folder which was flagged by security team for vulnerability issue...
> Please advice how to upgrade this to the latest log4j 2.x to fix
> vulnerability issues.
> The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to
> Deserialization of Untrusted Data. The configureHierarchy and
> genericHierarchy methods in SocketServer.class do not verify if the file at a
> given file path contains any untrusted objects prior to deserializing them. A
> remote attacker can exploit this vulnerability by providing a path to crafted
> files, which result in arbitrary code execution when deserialized.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
