JB, should we put that link somewhere prominent on https://activemq.apache.org/contact for a few months? I believe all the users who posted questions about the CVE were first-time posters who likely went to that page before posting questions, so we might be able to save everyone the time and frustration by heading off the question for folks.
Tim On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre <j...@nanthrax.net> wrote: > Hi, > > Again, a new time: > > https://activemq.apache.org/news/cve-2021-44228 > > AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE because they > are using log4j 1.x > > ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1. > > Regards > JB > > > Le 8 janv. 2022 à 11:35, Deepti Sharma S > > <deepti.s.sha...@ericsson.com.INVALID> > a écrit : > > > > Hello Team, > > > > As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical), can > you please confirm, when we have ActiveMQ all, version release which has > this vulnerability fix and has Log4J version 2.17? > > > > > > > > Regards, > > Deepti Sharma > > PMP(r) & ITIL > > > > > >
