Hi, I was about to send a message to the mailing list to give an update.
1. ActiveMQ is now using log4j 1.2.x, so, it's not impacted by the CVE 2021-44228. The other mentioned CVE only affects users using JMS appender, which is pretty rare. 2. ActiveMQ 5.17.x (main) will use log4j2, I have a PR about that. I'm updating to log4j 2.0.15 in this PR, addressing the CVE.
Regards JB On 13/12/2021 09:59, Lionel Cons wrote:
Recently, a new critical vulnerability has been published for log4j: CVE-2021-44228. I’ve read different things from different sources. According to Red Hat (https://access.redhat.com/security/cve/cve-2021-44228 <https://access.redhat.com/security/cve/cve-2021-44228>): "This issue only affects log4j versions between 2.0 and 2.14.1”. According to GitHub (https://github.com/advisories/GHSA-jfh8-c2jp-5v3q <https://github.com/advisories/GHSA-jfh8-c2jp-5v3q>): "Any Log4J version prior to v2.15.0 is affected to this specific issue.” and, more explicitly, “ The v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.15.0 where possible.”. It seems that ActiveMQ 5.16 uses log4j 1.2.17. Could we please get an official statement about ActiveMQ’s security wrt log4j? Thanks! Lionel
