Hi,
Again (maybe for the fourth time):
1. ActiveMQ 5.15/5.16 is NOT impacted by log4shell as it uses log4j 1
2. ActiveMQ 5.17.0 will use at least log4j 2.17.1. ETA is not before
beginning of Feb (I plan to start the vote end of Jan).
3. Tomcat/Jetty are already updated.
4. As said yesterday, I don't think it's a good idea to upgrade to
ActiveMQ 5.17.x just for log4j because it doesn't make sense (again no
vulnerability in ActiveMQ 5.15/5.16) and it's a big jump
You can take a look on:
https://activemq.apache.org/news/cve-2021-44228
Regards
JB
On 04/01/2022 08:57, Eugene Vigoutov wrote:
Hi
Is there any ETA for 5.17?
Will it include log4j 2.17.1( the latest fix)?
We also learned that it uses vulnerable Tomcat version - will it be fixed as
well?
Regards
Vigo
