> Could we please get an official statement about ActiveMQ’s security wrt log4j?
To be clear, this [1] is the official statement you requested. Justin [1] https://activemq.apache.org/news/cve-2021-44228 On Mon, Dec 13, 2021 at 3:00 AM Lionel Cons <lionel.c...@cern.ch> wrote: > Recently, a new critical vulnerability has been published for log4j: > CVE-2021-44228. > > I’ve read different things from different sources. > > According to Red Hat ( > https://access.redhat.com/security/cve/cve-2021-44228 < > https://access.redhat.com/security/cve/cve-2021-44228>): "This issue only > affects log4j versions between 2.0 and 2.14.1”. > > According to GitHub (https://github.com/advisories/GHSA-jfh8-c2jp-5v3q < > https://github.com/advisories/GHSA-jfh8-c2jp-5v3q>): "Any Log4J version > prior to v2.15.0 is affected to this specific issue.” and, more explicitly, > “ The v1 branch of Log4J which is considered End Of Life (EOL) is > vulnerable to other RCE vectors so the recommendation is to still update to > 2.15.0 where possible.”. > > It seems that ActiveMQ 5.16 uses log4j 1.2.17. > > Could we please get an official statement about ActiveMQ’s security wrt > log4j? > > Thanks! > > Lionel
