Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade
This looks like you are referencing a log handler that is not shipped as part of the Apache ActiveMQ distribution. Possibly a Fuse or Red Hat A-MQ build? That part of the ActiveMQ configuration needs to be removed and/or modified. Thanks, Matt Pavlovich > On Feb 1, 2024, at 5:03 PM, Vishnu Middela > wrote: > > io.fabric8.insight.log.log4j.Log4jLogQuery
RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade
Hi, After upgrading the java version to 11, I was able to start MQ instance, but when I copy activemq.xml from older version of MQ (5.14.5), I am not able to start the MQ instance on (5.18.3). cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/activemq.xml /app01/apachemq/apache-activemq-5.18.3/conf Below is the error that I see in the logs.. Any help is appreciated. 2024-02-01 17:51:51,197 | ERROR | Failed to load: class path resource [activemq.xml], reason: Failed to load type: io.fabric8.insight.log.log4j.Log4jLogQuery. Reason: java.lang.ClassNotFoundException: io.fabric8.insight.log.log4j.Log4jLogQuery; nested exception is java.lang.ClassNotFoundException: io.fabric8.insight.log.log4j.Log4jLogQuery | org.apache.activemq.xbean.XBeanBrokerFactory | main org.springframework.beans.factory.BeanDefinitionStoreException: Failed to load type: io.fabric8.insight.log.log4j.Log4jLogQuery. Reason: java.lang.ClassNotFoundException: io.fabric8.insight.log.log4j.Log4jLogQuery; nested exception is java.lang.ClassNotFoundException: io.fabric8.insight.log.log4j.Log4jLogQuery at org.apache.xbean.spring.context.v2c.XBeanQNameHelper.getBeanInfo(XBeanQNameHelper.java:75) Thanks & Regards Vishnu Middela -Original Message- From: Vishnu Middela Sent: Wednesday, January 31, 2024 9:13 AM To: users@activemq.apache.org Subject: RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade Hi, Current Java version we have on our system is as below, does this needs to be upgraded too for ApacheMQ classic 5.18.3 to be up and running /app01/apachemq/apache-activemq-5.18.3/bin [bodi@aoedw-e-app3009 bin]$ java -version openjdk version "1.8.0_392" OpenJDK Runtime Environment (build 1.8.0_392-b08) OpenJDK 64-Bit Server VM (build 25.392-b08, mixed mode) Thanks & Regards Vishnu Middela -Original Message- From: Vishnu Middela Sent: Tuesday, January 30, 2024 7:15 AM To: users@activemq.apache.org Subject: RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade HI, Below is the confirmation that activemq.log being empty.. -rwx--. 1 bodi bodi0 Oct 24 15:32 activemq.log drwx--. 2 bodi bodi 4096 Jan 29 17:31 kahadb -rw---. 1 bodi bodi4 Jan 29 20:02 activemq.pid [bodi@aoedw-e-app3009 data]$ cat activemq.log [bodi@aoedw-e-app3009 data]$ Re iterating the steps followed for upgrade from 5.14.5 to 5.18.3 1. Stop the ActiveMQ server process [bodi@aoedw-e-app3009 bin]$ ./activemq stop 2.Extract new ActiveMQ release -rw---. 1 bodi bodi 49549502 Jan 25 15:19 apache-activemq-5.18.3-bin.tar.gz drwx--. 12 bodi bodi 220 Jan 29 17:02 apache-activemq-5.14.5 [bodi@aoedw-e-app3009 tc6v]$ tar zxvf apache-activemq-5.18.3-bin.tar.gz 3. Copy any config files from the old conf folder Copy ActiveMQ broker configuration file [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/activemq.xml /app01/apachemq/tc6v/apache-activemq-5.18.3/conf Copy users, groups and passwords [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/users.properties /app01/apachemq/tc6v/apache-activemq-5.18.3/conf Copy below two jetty files [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/jetty.xml /app01/apachemq/tc6v/apache-activemq-5.18.3/conf [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/jetty-realm.properties /app01/apachemq/tc6v/apache-activemq-5.18.3/conf 4.Copy Environment file from old to new folder cp /app01/apachemq/tc6v/apache-activemq-5.14.5/bin/env /app01/apachemq/tc6v/apache-activemq-5.18.3/bin 5. Copy kahadb folder over to recover any messages [bodi@aoedw-e-app3009 data]$ cp -r /app01/apachemq/tc6v/apache-activemq-5.14.5/data/kahadb /app01/apachemq/tc6v/apache-activemq-5.18.3/data 6. Start ActiveMQ [bodi@aoedw-e-app3009 bin]$ ./activemq start Thanks & Regards Vishnu Middela -Original Message- From: Justin Bertram Sent: Monday, January 29, 2024 9:18 PM To: users@activemq.apache.org Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade CAUTION - EXTERNAL: Your screenshot didn't make it through. Justin On Mon, Jan 29, 2024 at 7:06 PM Vishnu Middela < vishnu_midd...@ao.uscourts.gov> wrote: > Hi Justin, > > I don’t see anything in the logs either.. > > > > > > > > > > Thanks & Regards > > Vishnu Middela > > > > -Original Message- > From: Justin Bertram > Sent: Monday, January 29, 2024 7:47 PM > To: users@activemq.apache.org > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache > ActiveMQ classic version upgrade > > > > CAUTION - EXTERNAL: > > > > > > Your output doesn't indicate any problems. Everything looks normal as
RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade
5.18 requires Java 11+ (https://activemq.apache.org/activemq-5018003-release). 5.16.x is the latest version that supports Java 8. I think 5.16.x includes fixes for the various log4j issues. > -Original Message- > From: Vishnu Middela > Sent: Wednesday, January 31, 2024 2:13 PM > To: users@activemq.apache.org > Subject: RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ > classic version upgrade > > IFS Security Notice - External Email - Don't be too quick to click! > Think carefully before clicking on links or attachments. Never provide User ID > or Passwords. Report any suspicious emails using the ‘Report Phishing’ > button. > > > Hi, >Current Java version we have on our system is as below, does this > needs > to be upgraded too for ApacheMQ classic 5.18.3 to be up and running > > /app01/apachemq/apache-activemq-5.18.3/bin > [bodi@aoedw-e-app3009 bin]$ java -version openjdk version "1.8.0_392" > OpenJDK Runtime Environment (build 1.8.0_392-b08) OpenJDK 64-Bit Server > VM (build 25.392-b08, mixed mode) > > Thanks & Regards > Vishnu Middela > > -Original Message- > From: Vishnu Middela > Sent: Tuesday, January 30, 2024 7:15 AM > To: users@activemq.apache.org > Subject: RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ > classic version upgrade > > HI, > Below is the confirmation that activemq.log being empty.. > > > -rwx--. 1 bodi bodi0 Oct 24 15:32 activemq.log > drwx--. 2 bodi bodi 4096 Jan 29 17:31 kahadb > -rw---. 1 bodi bodi4 Jan 29 20:02 activemq.pid > [bodi@aoedw-e-app3009 data]$ cat activemq.log > [bodi@aoedw-e-app3009 data]$ > > > Re iterating the steps followed for upgrade from 5.14.5 to 5.18.3 > > 1. Stop the ActiveMQ server process > > [bodi@aoedw-e-app3009 bin]$ ./activemq stop > > 2.Extract new ActiveMQ release > > -rw---. 1 bodi bodi 49549502 Jan 25 15:19 apache-activemq-5.18.3- > bin.tar.gz > drwx--. 12 bodi bodi 220 Jan 29 17:02 apache-activemq-5.14.5 > [bodi@aoedw-e-app3009 tc6v]$ tar zxvf apache-activemq-5.18.3-bin.tar.gz > > 3. Copy any config files from the old conf folder > > Copy ActiveMQ broker configuration file > > [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache- > activemq-5.14.5/conf/activemq.xml /app01/apachemq/tc6v/apache- > activemq-5.18.3/conf > > Copy users, groups and passwords > > [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache- > activemq-5.14.5/conf/users.properties /app01/apachemq/tc6v/apache- > activemq-5.18.3/conf > > Copy below two jetty files > > [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache- > activemq-5.14.5/conf/jetty.xml /app01/apachemq/tc6v/apache-activemq- > 5.18.3/conf > [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache- > activemq-5.14.5/conf/jetty-realm.properties > /app01/apachemq/tc6v/apache-activemq-5.18.3/conf > > 4.Copy Environment file from old to new folder > > cp /app01/apachemq/tc6v/apache-activemq-5.14.5/bin/env > /app01/apachemq/tc6v/apache-activemq-5.18.3/bin > > 5. Copy kahadb folder over to recover any messages > > [bodi@aoedw-e-app3009 data]$ cp -r /app01/apachemq/tc6v/apache- > activemq-5.14.5/data/kahadb /app01/apachemq/tc6v/apache-activemq- > 5.18.3/data > > 6. Start ActiveMQ > > [bodi@aoedw-e-app3009 bin]$ ./activemq start > > > Thanks & Regards > Vishnu Middela > > -Original Message- > From: Justin Bertram > Sent: Monday, January 29, 2024 9:18 PM > To: users@activemq.apache.org > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ > classic version upgrade > > CAUTION - EXTERNAL: > > > Your screenshot didn't make it through. > > > Justin > > > On Mon, Jan 29, 2024 at 7:06 PM Vishnu Middela < > vishnu_midd...@ao.uscourts.gov> wrote: > > > Hi Justin, > > > > I don’t see anything in the logs either.. > > > > > > > > > > > > > > > > > > > > Thanks & Regards > > > > Vishnu Middela > > > > > > > > -Original Message- > > From: Justin Bertram > > Sent: Monday, January 29, 2024 7:47 PM > > To: users@activemq.apache.org > > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache > > ActiveMQ classic version upgrade > > > > > > > > CAUTION - EXTERNAL: > > > > > > > > > > > > Your output doesn't indicate any problems. Everything looks normal as > > far as I can tell. This is the same output I see when I execute > > "activemq start" on
RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade
Hi, Current Java version we have on our system is as below, does this needs to be upgraded too for ApacheMQ classic 5.18.3 to be up and running /app01/apachemq/apache-activemq-5.18.3/bin [bodi@aoedw-e-app3009 bin]$ java -version openjdk version "1.8.0_392" OpenJDK Runtime Environment (build 1.8.0_392-b08) OpenJDK 64-Bit Server VM (build 25.392-b08, mixed mode) Thanks & Regards Vishnu Middela -Original Message- From: Vishnu Middela Sent: Tuesday, January 30, 2024 7:15 AM To: users@activemq.apache.org Subject: RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade HI, Below is the confirmation that activemq.log being empty.. -rwx--. 1 bodi bodi0 Oct 24 15:32 activemq.log drwx--. 2 bodi bodi 4096 Jan 29 17:31 kahadb -rw---. 1 bodi bodi4 Jan 29 20:02 activemq.pid [bodi@aoedw-e-app3009 data]$ cat activemq.log [bodi@aoedw-e-app3009 data]$ Re iterating the steps followed for upgrade from 5.14.5 to 5.18.3 1. Stop the ActiveMQ server process [bodi@aoedw-e-app3009 bin]$ ./activemq stop 2.Extract new ActiveMQ release -rw---. 1 bodi bodi 49549502 Jan 25 15:19 apache-activemq-5.18.3-bin.tar.gz drwx--. 12 bodi bodi 220 Jan 29 17:02 apache-activemq-5.14.5 [bodi@aoedw-e-app3009 tc6v]$ tar zxvf apache-activemq-5.18.3-bin.tar.gz 3. Copy any config files from the old conf folder Copy ActiveMQ broker configuration file [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/activemq.xml /app01/apachemq/tc6v/apache-activemq-5.18.3/conf Copy users, groups and passwords [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/users.properties /app01/apachemq/tc6v/apache-activemq-5.18.3/conf Copy below two jetty files [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/jetty.xml /app01/apachemq/tc6v/apache-activemq-5.18.3/conf [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/jetty-realm.properties /app01/apachemq/tc6v/apache-activemq-5.18.3/conf 4.Copy Environment file from old to new folder cp /app01/apachemq/tc6v/apache-activemq-5.14.5/bin/env /app01/apachemq/tc6v/apache-activemq-5.18.3/bin 5. Copy kahadb folder over to recover any messages [bodi@aoedw-e-app3009 data]$ cp -r /app01/apachemq/tc6v/apache-activemq-5.14.5/data/kahadb /app01/apachemq/tc6v/apache-activemq-5.18.3/data 6. Start ActiveMQ [bodi@aoedw-e-app3009 bin]$ ./activemq start Thanks & Regards Vishnu Middela -Original Message- From: Justin Bertram Sent: Monday, January 29, 2024 9:18 PM To: users@activemq.apache.org Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade CAUTION - EXTERNAL: Your screenshot didn't make it through. Justin On Mon, Jan 29, 2024 at 7:06 PM Vishnu Middela < vishnu_midd...@ao.uscourts.gov> wrote: > Hi Justin, > > I don’t see anything in the logs either.. > > > > > > > > > > Thanks & Regards > > Vishnu Middela > > > > -Original Message- > From: Justin Bertram > Sent: Monday, January 29, 2024 7:47 PM > To: users@activemq.apache.org > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache > ActiveMQ classic version upgrade > > > > CAUTION - EXTERNAL: > > > > > > Your output doesn't indicate any problems. Everything looks normal as > far as I can tell. This is the same output I see when I execute > "activemq start" on a default instance of ActiveMQ Classic 5.18.3. > > > > I recommend you check the output in data/activemq.log to see if the > broker started up properly. > > > > > > Justin > > > > On Mon, Jan 29, 2024 at 5:50 PM Vishnu Middela < > vishnu_midd...@ao.uscourts.gov> wrote: > > > > > Hi, > > > Attached are the steps that are followed to upgrade > > ApacheMQ > > > classic from 5.15.8 to 5.18.3 > > > > > > Only message I see is as below after trying to start activemq. > > Please > > > let me know if I missed any steps and how to debug this issue. > > > > > > [bodi@aoedw-e-app3009 bin]$ ./activemq start > > > INFO: Loading '/app01/apachemq/tc6v/apache-activemq-5.18.3//bin/env' > > > INFO: Using java '/usr/bin/java' > > > INFO: Starting - inspect logfiles specified in logging.properties > > and > > > log4j2.properties to get details > > > INFO: pidfile created : > > > '/app01/apachemq/tc6v/apache-activemq-5.18.3//data/activemq.pid' > > (pid > > > '18302') > > > > > > Thanks & Regards > > > Vishnu Middela > > > > > > -Original Message- > > > From: Justin B
RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade
HI, Below is the confirmation that activemq.log being empty.. -rwx--. 1 bodi bodi0 Oct 24 15:32 activemq.log drwx--. 2 bodi bodi 4096 Jan 29 17:31 kahadb -rw---. 1 bodi bodi4 Jan 29 20:02 activemq.pid [bodi@aoedw-e-app3009 data]$ cat activemq.log [bodi@aoedw-e-app3009 data]$ Re iterating the steps followed for upgrade from 5.14.5 to 5.18.3 1. Stop the ActiveMQ server process [bodi@aoedw-e-app3009 bin]$ ./activemq stop 2.Extract new ActiveMQ release -rw---. 1 bodi bodi 49549502 Jan 25 15:19 apache-activemq-5.18.3-bin.tar.gz drwx--. 12 bodi bodi 220 Jan 29 17:02 apache-activemq-5.14.5 [bodi@aoedw-e-app3009 tc6v]$ tar zxvf apache-activemq-5.18.3-bin.tar.gz 3. Copy any config files from the old conf folder Copy ActiveMQ broker configuration file [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/activemq.xml /app01/apachemq/tc6v/apache-activemq-5.18.3/conf Copy users, groups and passwords [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/users.properties /app01/apachemq/tc6v/apache-activemq-5.18.3/conf Copy below two jetty files [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/jetty.xml /app01/apachemq/tc6v/apache-activemq-5.18.3/conf [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/jetty-realm.properties /app01/apachemq/tc6v/apache-activemq-5.18.3/conf 4.Copy Environment file from old to new folder cp /app01/apachemq/tc6v/apache-activemq-5.14.5/bin/env /app01/apachemq/tc6v/apache-activemq-5.18.3/bin 5. Copy kahadb folder over to recover any messages [bodi@aoedw-e-app3009 data]$ cp -r /app01/apachemq/tc6v/apache-activemq-5.14.5/data/kahadb /app01/apachemq/tc6v/apache-activemq-5.18.3/data 6. Start ActiveMQ [bodi@aoedw-e-app3009 bin]$ ./activemq start Thanks & Regards Vishnu Middela -Original Message- From: Justin Bertram Sent: Monday, January 29, 2024 9:18 PM To: users@activemq.apache.org Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade CAUTION - EXTERNAL: Your screenshot didn't make it through. Justin On Mon, Jan 29, 2024 at 7:06 PM Vishnu Middela < vishnu_midd...@ao.uscourts.gov> wrote: > Hi Justin, > > I don’t see anything in the logs either.. > > > > > > > > > > Thanks & Regards > > Vishnu Middela > > > > -Original Message- > From: Justin Bertram > Sent: Monday, January 29, 2024 7:47 PM > To: users@activemq.apache.org > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache > ActiveMQ classic version upgrade > > > > CAUTION - EXTERNAL: > > > > > > Your output doesn't indicate any problems. Everything looks normal as > far as I can tell. This is the same output I see when I execute > "activemq start" on a default instance of ActiveMQ Classic 5.18.3. > > > > I recommend you check the output in data/activemq.log to see if the > broker started up properly. > > > > > > Justin > > > > On Mon, Jan 29, 2024 at 5:50 PM Vishnu Middela < > vishnu_midd...@ao.uscourts.gov> wrote: > > > > > Hi, > > > Attached are the steps that are followed to upgrade > > ApacheMQ > > > classic from 5.15.8 to 5.18.3 > > > > > > Only message I see is as below after trying to start activemq. > > Please > > > let me know if I missed any steps and how to debug this issue. > > > > > > [bodi@aoedw-e-app3009 bin]$ ./activemq start > > > INFO: Loading '/app01/apachemq/tc6v/apache-activemq-5.18.3//bin/env' > > > INFO: Using java '/usr/bin/java' > > > INFO: Starting - inspect logfiles specified in logging.properties > > and > > > log4j2.properties to get details > > > INFO: pidfile created : > > > '/app01/apachemq/tc6v/apache-activemq-5.18.3//data/activemq.pid' > > (pid > > > '18302') > > > > > > Thanks & Regards > > > Vishnu Middela > > > > > > -Original Message- > > > From: Justin Bertram > > > Sent: Tuesday, January 16, 2024 1:43 PM > > > To: users@activemq.apache.org > > > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities > > > > > > CAUTION - EXTERNAL: > > > > > > > > > ActiveMQ Classic 5.15.8 was released in early 2019, almost 5 years > > ago > now. > > > Since then, in part to deal with security issues, the logging > > > implementation changed to Reload4j and then eventually to Log4j 2. > > The > > > best way you can mitigate security issues is to stay up-to-date. I > > > stron
Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade
Your screenshot didn't make it through. Justin On Mon, Jan 29, 2024 at 7:06 PM Vishnu Middela < vishnu_midd...@ao.uscourts.gov> wrote: > Hi Justin, > > I don’t see anything in the logs either.. > > > > > > > > > > Thanks & Regards > > Vishnu Middela > > > > -Original Message- > From: Justin Bertram > Sent: Monday, January 29, 2024 7:47 PM > To: users@activemq.apache.org > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ > classic version upgrade > > > > CAUTION - EXTERNAL: > > > > > > Your output doesn't indicate any problems. Everything looks normal as far > as I can tell. This is the same output I see when I execute "activemq > start" on a default instance of ActiveMQ Classic 5.18.3. > > > > I recommend you check the output in data/activemq.log to see if the broker > started up properly. > > > > > > Justin > > > > On Mon, Jan 29, 2024 at 5:50 PM Vishnu Middela < > vishnu_midd...@ao.uscourts.gov> wrote: > > > > > Hi, > > > Attached are the steps that are followed to upgrade ApacheMQ > > > classic from 5.15.8 to 5.18.3 > > > > > > Only message I see is as below after trying to start activemq. Please > > > let me know if I missed any steps and how to debug this issue. > > > > > > [bodi@aoedw-e-app3009 bin]$ ./activemq start > > > INFO: Loading '/app01/apachemq/tc6v/apache-activemq-5.18.3//bin/env' > > > INFO: Using java '/usr/bin/java' > > > INFO: Starting - inspect logfiles specified in logging.properties and > > > log4j2.properties to get details > > > INFO: pidfile created : > > > '/app01/apachemq/tc6v/apache-activemq-5.18.3//data/activemq.pid' (pid > > > '18302') > > > > > > Thanks & Regards > > > Vishnu Middela > > > > > > -Original Message- > > > From: Justin Bertram > > > Sent: Tuesday, January 16, 2024 1:43 PM > > > To: users@activemq.apache.org > > > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities > > > > > > CAUTION - EXTERNAL: > > > > > > > > > ActiveMQ Classic 5.15.8 was released in early 2019, almost 5 years ago > now. > > > Since then, in part to deal with security issues, the logging > > > implementation changed to Reload4j and then eventually to Log4j 2. The > > > best way you can mitigate security issues is to stay up-to-date. I > > > strongly recommend you migrate to the latest release of ActiveMQ > > > Classic 5.x which is 5.18.3 [2]. > > > > > > If you don't want to or can't upgrade for some reason then you can > > > remove log4j-1.2.17.jar and drop in reload4j-1.2.25.jar [3] as it was > > > designed to be binary compatible. That will resolve CVE-2019-17571, > > > CVE-2020-9488, & CVE-2022-23302. > > > > > > > > > Justin > > > > > > [1] https://reload4j.qos.ch/ > > > [2] https://activemq.apache.org/components/classic/download/ > > > [3] > > > > > > https://repo1.maven.org/maven2/ch/qos/reload4j/reload4j/1.2.25/reload4 > > > j-1.2.25.jar > > > > > > On Tue, Jan 16, 2024 at 12:26 PM Vishnu Middela < > > > vishnu_midd...@ao.uscourts.gov> wrote: > > > > > > > Hi, > > > > Security team had raised concern on Log4j vulnerabilities > > > > for Apache Active MQ. > > > > > > > > Our current Apache Active MQ version is 5.15.8. > > > > > > > > Can you please let us know how we can avoid these Log4J > vulnerabilities. > > > > > > > > Also below is the sample report attached. > > > > > > > > Plugin Output: > > > > Path : /app01/apachemq/HermesJMS/lib/log4j-1.2.15.jar > > > > Installed version : 1.2.15 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/nyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/nyed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/nynd/apache-activemq-5.15.8/lib/op
RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade
Hi Justin, I don’t see anything in the logs either.. [cid:image001.png@01DA52EE.83A2A760] Thanks & Regards Vishnu Middela -Original Message- From: Justin Bertram mailto:m...@apache.org>> Sent: Monday, January 29, 2024 7:47 PM To: users@activemq.apache.org<mailto:users@activemq.apache.org> Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade CAUTION - EXTERNAL: Your output doesn't indicate any problems. Everything looks normal as far as I can tell. This is the same output I see when I execute "activemq start" on a default instance of ActiveMQ Classic 5.18.3. I recommend you check the output in data/activemq.log to see if the broker started up properly. Justin On Mon, Jan 29, 2024 at 5:50 PM Vishnu Middela < vishnu_midd...@ao.uscourts.gov<mailto:vishnu_midd...@ao.uscourts.gov>> wrote: > Hi, > Attached are the steps that are followed to upgrade ApacheMQ > classic from 5.15.8 to 5.18.3 > > Only message I see is as below after trying to start activemq. Please > let me know if I missed any steps and how to debug this issue. > > [bodi@aoedw-e-app3009 bin]$ ./activemq start > INFO: Loading '/app01/apachemq/tc6v/apache-activemq-5.18.3//bin/env' > INFO: Using java '/usr/bin/java' > INFO: Starting - inspect logfiles specified in logging.properties and > log4j2.properties to get details > INFO: pidfile created : > '/app01/apachemq/tc6v/apache-activemq-5.18.3//data/activemq.pid' (pid > '18302') > > Thanks & Regards > Vishnu Middela > > -Original Message- > From: Justin Bertram mailto:jbert...@apache.org>> > Sent: Tuesday, January 16, 2024 1:43 PM > To: users@activemq.apache.org<mailto:users@activemq.apache.org> > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities > > CAUTION - EXTERNAL: > > > ActiveMQ Classic 5.15.8 was released in early 2019, almost 5 years ago now. > Since then, in part to deal with security issues, the logging > implementation changed to Reload4j and then eventually to Log4j 2. The > best way you can mitigate security issues is to stay up-to-date. I > strongly recommend you migrate to the latest release of ActiveMQ > Classic 5.x which is 5.18.3 [2]. > > If you don't want to or can't upgrade for some reason then you can > remove log4j-1.2.17.jar and drop in reload4j-1.2.25.jar [3] as it was > designed to be binary compatible. That will resolve CVE-2019-17571, > CVE-2020-9488, & CVE-2022-23302. > > > Justin > > [1] https://reload4j.qos.ch/ > [2] https://activemq.apache.org/components/classic/download/ > [3] > > https://repo1.maven.org/maven2/ch/qos/reload4j/reload4j/1.2.25/reload4 > j-1.2.25.jar > > On Tue, Jan 16, 2024 at 12:26 PM Vishnu Middela < > vishnu_midd...@ao.uscourts.gov<mailto:vishnu_midd...@ao.uscourts.gov>> wrote: > > > Hi, > > Security team had raised concern on Log4j vulnerabilities > > for Apache Active MQ. > > > > Our current Apache Active MQ version is 5.15.8. > > > > Can you please let us know how we can avoid these Log4J vulnerabilities. > > > > Also below is the sample report attached. > > > > Plugin Output: > > Path : /app01/apachemq/HermesJMS/lib/log4j-1.2.15.jar > > Installed version : 1.2.15 > > > > > > > > Path : > > /app01/apachemq/nyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/nyed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/nynd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/nysd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/nceb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/ncwb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/njb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path
Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade
Your output doesn't indicate any problems. Everything looks normal as far as I can tell. This is the same output I see when I execute "activemq start" on a default instance of ActiveMQ Classic 5.18.3. I recommend you check the output in data/activemq.log to see if the broker started up properly. Justin On Mon, Jan 29, 2024 at 5:50 PM Vishnu Middela < vishnu_midd...@ao.uscourts.gov> wrote: > Hi, > Attached are the steps that are followed to upgrade ApacheMQ > classic from 5.15.8 to 5.18.3 > > Only message I see is as below after trying to start activemq. Please let > me know if I missed any steps and how to debug this issue. > > [bodi@aoedw-e-app3009 bin]$ ./activemq start > INFO: Loading '/app01/apachemq/tc6v/apache-activemq-5.18.3//bin/env' > INFO: Using java '/usr/bin/java' > INFO: Starting - inspect logfiles specified in logging.properties and > log4j2.properties to get details > INFO: pidfile created : > '/app01/apachemq/tc6v/apache-activemq-5.18.3//data/activemq.pid' (pid > '18302') > > Thanks & Regards > Vishnu Middela > > -Original Message- > From: Justin Bertram > Sent: Tuesday, January 16, 2024 1:43 PM > To: users@activemq.apache.org > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities > > CAUTION - EXTERNAL: > > > ActiveMQ Classic 5.15.8 was released in early 2019, almost 5 years ago now. > Since then, in part to deal with security issues, the logging > implementation changed to Reload4j and then eventually to Log4j 2. The best > way you can mitigate security issues is to stay up-to-date. I strongly > recommend you migrate to the latest release of ActiveMQ Classic 5.x which > is 5.18.3 [2]. > > If you don't want to or can't upgrade for some reason then you can remove > log4j-1.2.17.jar and drop in reload4j-1.2.25.jar [3] as it was designed to > be binary compatible. That will resolve CVE-2019-17571, CVE-2020-9488, & > CVE-2022-23302. > > > Justin > > [1] https://reload4j.qos.ch/ > [2] https://activemq.apache.org/components/classic/download/ > [3] > > https://repo1.maven.org/maven2/ch/qos/reload4j/reload4j/1.2.25/reload4j-1.2.25.jar > > On Tue, Jan 16, 2024 at 12:26 PM Vishnu Middela < > vishnu_midd...@ao.uscourts.gov> wrote: > > > Hi, > > Security team had raised concern on Log4j vulnerabilities for > > Apache Active MQ. > > > > Our current Apache Active MQ version is 5.15.8. > > > > Can you please let us know how we can avoid these Log4J vulnerabilities. > > > > Also below is the sample report attached. > > > > Plugin Output: > > Path : /app01/apachemq/HermesJMS/lib/log4j-1.2.15.jar > > Installed version : 1.2.15 > > > > > > > > Path : > > /app01/apachemq/nyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/nyed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/nynd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/nysd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/nceb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/ncwb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/njb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/njd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/ohnd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/ohsb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/ohsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/almd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/ctd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/dcb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/kyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17
RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade
Hi, Attached are the steps that are followed to upgrade ApacheMQ classic from 5.15.8 to 5.18.3 Only message I see is as below after trying to start activemq. Please let me know if I missed any steps and how to debug this issue. [bodi@aoedw-e-app3009 bin]$ ./activemq start INFO: Loading '/app01/apachemq/tc6v/apache-activemq-5.18.3//bin/env' INFO: Using java '/usr/bin/java' INFO: Starting - inspect logfiles specified in logging.properties and log4j2.properties to get details INFO: pidfile created : '/app01/apachemq/tc6v/apache-activemq-5.18.3//data/activemq.pid' (pid '18302') Thanks & Regards Vishnu Middela -Original Message- From: Justin Bertram Sent: Tuesday, January 16, 2024 1:43 PM To: users@activemq.apache.org Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities CAUTION - EXTERNAL: ActiveMQ Classic 5.15.8 was released in early 2019, almost 5 years ago now. Since then, in part to deal with security issues, the logging implementation changed to Reload4j and then eventually to Log4j 2. The best way you can mitigate security issues is to stay up-to-date. I strongly recommend you migrate to the latest release of ActiveMQ Classic 5.x which is 5.18.3 [2]. If you don't want to or can't upgrade for some reason then you can remove log4j-1.2.17.jar and drop in reload4j-1.2.25.jar [3] as it was designed to be binary compatible. That will resolve CVE-2019-17571, CVE-2020-9488, & CVE-2022-23302. Justin [1] https://reload4j.qos.ch/ [2] https://activemq.apache.org/components/classic/download/ [3] https://repo1.maven.org/maven2/ch/qos/reload4j/reload4j/1.2.25/reload4j-1.2.25.jar On Tue, Jan 16, 2024 at 12:26 PM Vishnu Middela < vishnu_midd...@ao.uscourts.gov> wrote: > Hi, > Security team had raised concern on Log4j vulnerabilities for > Apache Active MQ. > > Our current Apache Active MQ version is 5.15.8. > > Can you please let us know how we can avoid these Log4J vulnerabilities. > > Also below is the sample report attached. > > Plugin Output: > Path : /app01/apachemq/HermesJMS/lib/log4j-1.2.15.jar > Installed version : 1.2.15 > > > > Path : > /app01/apachemq/nyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/nyed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/nynd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/nysd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/nceb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ncwb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/njb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/njd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ohnd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ohsb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ohsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/almd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ctd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/dcb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/kyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/kywb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/kywd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/paed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/pawb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/pawd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > >
RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade
Hi, Any update on below request is appreciated..thanks Thanks & Regards Vishnu Middela -Original Message- From: Vishnu Middela Sent: Tuesday, January 23, 2024 2:23 PM To: users@activemq.apache.org Subject: RE: Apache Log4j 1.x Multiple Vulnerabilities Hi, If I want to upgrade current version of Apache MQ from 5.15.8 to 5.18.3 version are there any specific guidelines that I need to follow? Can you please share any documentation that I can refer to. Thanks & Regards Vishnu Middela -Original Message- From: Justin Bertram Sent: Tuesday, January 16, 2024 1:43 PM To: users@activemq.apache.org Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities CAUTION - EXTERNAL: ActiveMQ Classic 5.15.8 was released in early 2019, almost 5 years ago now. Since then, in part to deal with security issues, the logging implementation changed to Reload4j and then eventually to Log4j 2. The best way you can mitigate security issues is to stay up-to-date. I strongly recommend you migrate to the latest release of ActiveMQ Classic 5.x which is 5.18.3 [2]. If you don't want to or can't upgrade for some reason then you can remove log4j-1.2.17.jar and drop in reload4j-1.2.25.jar [3] as it was designed to be binary compatible. That will resolve CVE-2019-17571, CVE-2020-9488, & CVE-2022-23302. Justin [1] https://reload4j.qos.ch/ [2] https://activemq.apache.org/components/classic/download/ [3] https://repo1.maven.org/maven2/ch/qos/reload4j/reload4j/1.2.25/reload4j-1.2.25.jar On Tue, Jan 16, 2024 at 12:26 PM Vishnu Middela < vishnu_midd...@ao.uscourts.gov> wrote: > Hi, > Security team had raised concern on Log4j vulnerabilities for > Apache Active MQ. > > Our current Apache Active MQ version is 5.15.8. > > Can you please let us know how we can avoid these Log4J vulnerabilities. > > Also below is the sample report attached. > > Plugin Output: > Path : /app01/apachemq/HermesJMS/lib/log4j-1.2.15.jar > Installed version : 1.2.15 > > > > Path : > /app01/apachemq/nyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/nyed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/nynd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/nysd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/nceb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ncwb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/njb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/njd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ohnd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ohsb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ohsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/almd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/ctd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/dcb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/kyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/kywb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/kywd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/paed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/pawb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/pawd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed version : 1.2.17 > > > > Path : > /app01/apachemq/rid/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > Installed