[
https://issues.apache.org/jira/browse/AMQ-8480?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robbie Gemmell closed AMQ-8480.
-------------------------------
Resolution: Duplicate
There have been several JIRAs opened on this already, including those with
changes already in progress for switching to reload4j in 5.16.x (AMQ-8472) and
Log4J2 in 5.17.x (AMQ-7426).
> activemq-all-5.16.2.jar
> -----------------------
>
> Key: AMQ-8480
> URL: https://issues.apache.org/jira/browse/AMQ-8480
> Project: ActiveMQ
> Issue Type: Bug
> Components: JMS client
> Affects Versions: 5.16.2
> Environment: Linux 8
> Reporter: BHANU PRATHAP V
> Priority: Blocker
>
> activemq-all-5.16.2.jar
> cve: CVE-2022-23302
>
> JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of
> untrusted data when the attacker has write access to the Log4j configuration
> or if the configuration references an LDAP service the attacker has access
> to. The attacker can provide a TopicConnectionFactoryBindingName
> configuration causing JMSSink to perform JNDI requests that result in remote
> code execution in a similar fashion to CVE-2021-4104. Note this issue only
> affects Log4j 1.x when specifically configured to use JMSSink, which is not
> the default. Apache Log4j 1.2 reached end of life in August 2015. Users
> should upgrade to Log4j 2 as it addresses numerous other issues from the
> previous versions.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
