Le 13 janv. 2022 à 21:59, Justin Bertram <jbert...@apache.org> a écrit :
The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use
Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as
Log4j 1.2.17 has not been maintained since August 2015.
The "official statement" [1] that you reference is only dealing with
CVE-2021-44228. It's not a general statement about all the security
vulnerabilities in Log4j 1.2.17. It remains a fact that Log4j 1.2.17 is not
impacted by CVE-2021-44228.
Here an existing security vulnerability, (CVE-2019-17571) is not fixed
with the note "Users are urged to upgrade to Log4j 2".
Regarding CVE-2019-17571 you can read more on this Jira [2]. In short, as
noted by Jean-Baptiste Onofré, "ActiveMQ is not affected as it doesn't use
the SocketServer. However, I think it makes sense to update/support
log4j2..." AMQ-7426 [3] was later created to track the work to upgrade to
Log4j 2.
This situation will not be accepted by a number of large customers, which
demand a timely exchange of this component to the officially released new
Log4j version 2.
Since you've sent this email to the public Apache ActiveMQ mailing lists
you're dealing with "community support" as described on the ActiveMQ
website [4]. As noted, this support is provided on a volunteer basis.
Furthermore, in the spirit of open-source, all community members are
encouraged (although certainly not required) to get involved. As noted in a
recent position paper [5] from the Apache Software Foundation, "Community
is defined by those who show up and do the work." I would strongly
encourage your organization, as an "intensive user of the Apache
technology," to avail itself of *all* the benefits of open source. With
your help to "do the work" this issue could potentially have been resolved
long ago.
Therefore we ask you kindly to name and communicate an official release
date for ActiveMQ 5.17.0 (including the Log4j version 2).
Given the volunteer nature of community support and how open-source works
at Apache I'm not sure "an official release date" can be provided, at least
not like you'd expect from a commercial software vendor. As noted on the
users mailing list as well as the Log4j 2 upgrade PR [6] (linked from the
aforementioned statement about CVE-2021-44228 [1]), the current plan is to
put a release up for vote at the end of January. All community members can
vote on the release for 3 days, and if the vote passes then the release
should be done in early February.
I hope that helps!
Justin
[1]
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fnews%2Fcve-2021-44228&data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=rZkJxGXjs7meMH5GSzJz6ZN1Oi53EmNKlIscwq6i8fk%3D&reserved=0
[2]
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-7370&data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zMMYglkEXIVUjPnVNS3kOg5jQduGYxomNQLq7oAyBG0%3D&reserved=0
[3]
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-7426&data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=V2uyuVr5R9seRSNtBWZOk%2FV0kHIDepyBb40rz011bt4%3D&reserved=0
[4]
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fsupport&data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=VoDvAtJTBHVmlXYphArUvZIcSZ8Xdq12q5imGNFVbfo%3D&reserved=0
[5]
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FCOMDEV%2FPosition%2BPaper&data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=1HOGj6V73OYfLTBfJ2Caem0z7C4plffcUyqY%2BSyFYVY%3D&reserved=0
[6]
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Factivemq%2Fpull%2F662&data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=SdzLA7sNUxMEG30OAxcOIAv3Cqvob%2FJuAldi1zDOCd0%3D&reserved=0
On Thu, Jan 13, 2022 at 2:09 PM Knöringer, Ralf
<ralf.knoerin...@atos.net.invalid> wrote:
To whom it may concern,
as a intensive user of the Apache technology in our enterprise
architecture and product portfolio I may draw your attention to a critical
issue.
Based on the known vulnerability CVE-2021-44228 in the Log4j Version 2
many of our large enterprise customers (e.g. Volkswagen Financial Services)
are becoming very sensitive for the risk of using software elements not
under maintenance.
Unfortunately we have this situation with the message broker ActiveMQ
"Classic" (the latest versions 5.15.15 and 5.16.3) as there is an embedded
use of the Log4j version 1.2.17.
The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use
Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as
Log4j 1.2.17 has not been maintained since August 2015.
(Here an existing security vulnerability, (CVE-2019-17571) is not fixed
with the note "Users are urged to upgrade to Log4j 2".)
This situation will not be accepted by a number of large customers, which
demand a timely exchange of this component to the officially released new
Log4j version 2.
Therefore we ask you kindly to name and communicate an official release
date for ActiveMQ 5.17.0 (including the Log4j version 2).
A timely answer is really appreciated as we think this could mitigate
negative responses and create a positive feedback from the market.
Best regards
Ralf Knöringer
Senior Manager
Big Data & Cybersecurity - IAM
M: +49 172 5229705
Otto-Hahn-Ring 6, 81739 Munich - Germany
atos.net<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fatos.net%2F&data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0C8iJ5tVA7067tITv0IprSx7mhbRpYqamSJ0NCDWHgg%3D&reserved=0>
Atos Information Technology GmbH; Geschäftsführung: Udo Littke, Boris
Hecker; Vorsitzender des Aufsichtsrats: N.N.; Sitz der Gesellschaft:
München; Registergericht: Amtsgericht München, HRB 235509
Atos Information Technology GmbH; Managing Directors: Udo Littke, Boris
Hecker; Chairman of the Supervisory Board: N.N.; Registered office: Munich;
Commercial register of the local court of Munich, HRB 235509
Important notice: This e-mail and any attachment thereof contain corporate
proprietary information. If you have received it by mistake, please notify
us immediately by reply e-mail and delete this e-mail and its attachments
from your system. Thank you.