Justin has already clarified that ActiveMQ Artemis doesn't use/ship any version of Log4J, its binary package doesn't include tests and their dependencies, so it isn't affected by those log4j vulnerabilities.
On Mon, 13 Dec 2021 at 15:52, Chittaranjan Panda <chittaran...@hotmail.com> wrote: > Hi, > > Is Apache Artemis 2.18.0 is affected by log4j vulnerability ? > > > > I found in dependencies it uses jboss-logging ( > > https://mvnrepository.com/artifact/org.jboss.logging/jboss-logging/3.4.2.Final > ) > which contains log4j-api 2.11.2 and log4j 1.2.16 and in test dependencies > uses log4j-core 2.11.2. > > > > Any help and clarification on this topic. > > > > Thank you in advance > > On Mon, Dec 13, 2021 at 7:46 PM Justin Bertram <jbert...@apache.org> > wrote: > > > ActiveMQ Artemis doesn't use/ship any version of Log4J so CVE-2021-44228 > > doesn't impact it. > > > > > > Justin > > > > On Mon, Dec 13, 2021 at 7:40 AM Benny K <ben...@gmx.net> wrote: > > > > > Hi all, > > > > > > we have two different Active MQ versions in production-use: > > > > > > - Active MQ 5.8.0 > > > - Active MQ Artemis 2.17.0 > > > > > > is it right that they both are using log4j-1.2.17 and they are NOT > > > affected by the log4j vulnerability / "log4shell"? > > > > > > Any help would be really great. :-) > > > > > > Thanks and Best Regards > > > Benjamin > > > > > > > > > > > >
