Hello Deepti- ActiveMQ 5.16.2 and 5.16.3 are _not_ vulnerable to CVE-2021-44228.
Thanks, Matt > On Feb 7, 2022, at 11:32 AM, Deepti Sharma S > <deepti.s.sha...@ericsson.com.INVALID> wrote: > > Hello Matt, > > We are using ActiveMQ all version 5.16.2 and 5.16.3. > > > Regards, > Deepti Sharma > PMP® & ITIL > > > -----Original Message----- > From: Matt Pavlovich <mattr...@gmail.com> > Sent: Monday, February 7, 2022 10:50 PM > To: users@activemq.apache.org > Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical) > > Hello Deepti- > > What version of ActiveMQ are you using? I suspect that you have incorrect > information about CVE-2021-44228 and ActiveMQ. > > -Matt Pavlovich > >> On Feb 7, 2022, at 6:20 AM, Deepti Sharma S >> <deepti.s.sha...@ericsson.com.INVALID> wrote: >> >> Hello Justin, >> >> I would like to follow-up on the release date of ActiveMQ 5.17.x version. I >> have seen the below thread, however could not found the exact date/week for >> the same. >> >> Could you please help here? >> >> Also can we build the ActiveMQ and upgrade the Log4J2.x on our own, can you >> please help to understand the procedure for the same. >> >> >> Regards, >> Deepti Sharma >> PMP® & ITIL >> >> >> -----Original Message----- >> From: Justin Bertram <jbert...@apache.org> >> Sent: Tuesday, January 18, 2022 9:09 PM >> To: users@activemq.apache.org >> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 >> (Critical) >> >>> when we download the Active Mq from below Maven link the jar name is " >> ActiveMQ all", however I could not found this from Active MQ website. >> >> All Maven artifacts are built from the source code. You can find links to >> all the ActiveMQ source code repositories on the website [1]. You need to >> look in the actual repository to see the code for a specific Maven module >> like "activemq-all" which can be found here [2]. >> >>> I might miss the release date for 5.17... >> >> If you miss anything on the users mailing list you can go back and review >> the archive [3] which is linked from the website [4]. >> >> >> Justin >> >> [1] https://activemq.apache.org/contributing >> [2] >> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444 >> 5555731-6ccda375f1ae0b10&q=1&e=8096bb19-015a-4b40-a864-13aaa0443b5a&u= >> https%3A%2F%2Fgithub.com%2Fapache%2Factivemq%2Ftree%2Fmain%2Factivemq- >> all [3] https://lists.apache.org/list.html?users@activemq.apache.org >> [4] https://activemq.apache.org/contact >> >> On Tue, Jan 18, 2022 at 9:06 AM Deepti Sharma S >> <deepti.s.sha...@ericsson.com.invalid> wrote: >> >>> Hello Justin, >>> >>> The question is , when we download the Active Mq from below Maven >>> link the jar name is " ActiveMQ all", however I could not found this >>> from Active MQ website. >>> >>> I might miss the release date for 5.17, it would be helpful, if you >>> could confirm the release date for the same. >>> >>> >>> Regards, >>> Deepti Sharma >>> PMP® & ITIL >>> >>> >>> -----Original Message----- >>> From: Justin Bertram <jbert...@apache.org> >>> Sent: Tuesday, January 18, 2022 8:33 PM >>> To: users@activemq.apache.org >>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 >>> (Critical) >>> >>>> Does Active MQ all (// >>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all >>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as >>> Active MQ Classic? >>> >>> I don't understand the question. What exactly are you asking here? >>> >>>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x? >>> >>> This question has *already* been answered on this thread (and many >>> other places on this mailing list). >>> >>> >>> Justin >>> >>> On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S < >>> deepti.s.sha...@ericsson.com.invalid> wrote: >>> >>>> Hello All, >>>> >>>> 2 questions: >>>> Does Active MQ all (// >>>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all >>>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as >>>> Active MQ Classic? >>>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x? >>>> >>>> >>>> Regards, >>>> Deepti Sharma >>>> PMP® & ITIL >>>> >>>> >>>> -----Original Message----- >>>> From: Justin Bertram <jbert...@apache.org> >>>> Sent: Sunday, January 9, 2022 1:29 AM >>>> To: users@activemq.apache.org >>>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 >>>> (Critical) >>>> >>>> For what it's worth, it's already noted on the index page as well as >>>> the "News" page as well as noted in multiple emails on both the >>>> users and dev mailing lists. Even searches for "activemq >>>> CVE-2021-44228" on DuckDuckGo, Google, or Bing provide the relevant >>>> information in the >>> first few results. >>>> In my opinion if folks aren't finding the information it's because >>>> they aren't looking. There's always going to be folks like that >>> unfortunately. >>>> >>>> >>>> Justin >>>> >>>> >>>> On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre >>>> <j...@nanthrax.net> >>>> wrote: >>>> >>>>> Hi Tim, >>>>> >>>>> Good idea, I think it would be helpful to have it directly on index >>>>> page and contact yeah. >>>>> >>>>> I can do the change if everyone agree. >>>>> >>>>> Thanks ! >>>>> >>>>> Regards >>>>> JB >>>>> >>>>>> Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit : >>>>>> >>>>>> JB, should we put that link somewhere prominent on >>>>>> https://activemq.apache.org/contact for a few months? I believe >>>>>> all the users who posted questions about the CVE were first-time >>>>>> posters who >>>>> likely >>>>>> went to that page before posting questions, so we might be able to >>>>>> save everyone the time and frustration by heading off the question >>>>>> for >>>> folks. >>>>>> >>>>>> Tim >>>>>> >>>>>> On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre >>>>>> <j...@nanthrax.net> >>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Again, a new time: >>>>>>> >>>>>>> https://activemq.apache.org/news/cve-2021-44228 >>>>>>> >>>>>>> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE >>>>>>> because they are using log4j 1.x >>>>>>> >>>>>>> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1. >>>>>>> >>>>>>> Regards >>>>>>> JB >>>>>>> >>>>>>>> Le 8 janv. 2022 à 11:35, Deepti Sharma S >>>>>>>> <deepti.s.sha...@ericsson.com >>>>> .INVALID> >>>>>>> a écrit : >>>>>>>> >>>>>>>> Hello Team, >>>>>>>> >>>>>>>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 >>>>>>>> (Critical), >>>>> can >>>>>>> you please confirm, when we have ActiveMQ all, version release >>>>>>> which has this vulnerability fix and has Log4J version 2.17? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Regards, >>>>>>>> Deepti Sharma >>>>>>>> PMP(r) & ITIL >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> > >