Your output doesn't indicate any problems. Everything looks normal as far as I can tell. This is the same output I see when I execute "activemq start" on a default instance of ActiveMQ Classic 5.18.3.
I recommend you check the output in data/activemq.log to see if the broker started up properly. Justin On Mon, Jan 29, 2024 at 5:50 PM Vishnu Middela < vishnu_midd...@ao.uscourts.gov> wrote: > Hi, > Attached are the steps that are followed to upgrade ApacheMQ > classic from 5.15.8 to 5.18.3 > > Only message I see is as below after trying to start activemq. Please let > me know if I missed any steps and how to debug this issue. > > [bodi@aoedw-e-app3009 bin]$ ./activemq start > INFO: Loading '/app01/apachemq/tc6v/apache-activemq-5.18.3//bin/env' > INFO: Using java '/usr/bin/java' > INFO: Starting - inspect logfiles specified in logging.properties and > log4j2.properties to get details > INFO: pidfile created : > '/app01/apachemq/tc6v/apache-activemq-5.18.3//data/activemq.pid' (pid > '18302') > > Thanks & Regards > Vishnu Middela > > -----Original Message----- > From: Justin Bertram <jbert...@apache.org> > Sent: Tuesday, January 16, 2024 1:43 PM > To: users@activemq.apache.org > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities > > CAUTION - EXTERNAL: > > > ActiveMQ Classic 5.15.8 was released in early 2019, almost 5 years ago now. > Since then, in part to deal with security issues, the logging > implementation changed to Reload4j and then eventually to Log4j 2. The best > way you can mitigate security issues is to stay up-to-date. I strongly > recommend you migrate to the latest release of ActiveMQ Classic 5.x which > is 5.18.3 [2]. > > If you don't want to or can't upgrade for some reason then you can remove > log4j-1.2.17.jar and drop in reload4j-1.2.25.jar [3] as it was designed to > be binary compatible. That will resolve CVE-2019-17571, CVE-2020-9488, & > CVE-2022-23302. > > > Justin > > [1] https://reload4j.qos.ch/ > [2] https://activemq.apache.org/components/classic/download/ > [3] > > https://repo1.maven.org/maven2/ch/qos/reload4j/reload4j/1.2.25/reload4j-1.2.25.jar > > On Tue, Jan 16, 2024 at 12:26 PM Vishnu Middela < > vishnu_midd...@ao.uscourts.gov> wrote: > > > Hi, > > Security team had raised concern on Log4j vulnerabilities for > > Apache Active MQ. > > > > Our current Apache Active MQ version is 5.15.8. > > > > Can you please let us know how we can avoid these Log4J vulnerabilities. > > > > Also below is the sample report attached. > > > > Plugin Output: > > Path : /app01/apachemq/HermesJMS/lib/log4j-1.2.15.jar > > Installed version : 1.2.15 > > > > > > > > Path : > > /app01/apachemq/nyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/nyed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/nynd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/nysd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/nceb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/ncwb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/njb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/njd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/ohnd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/ohsb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/ohsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/almd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/ctd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/dcb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/kyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/kywb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/kywd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/paed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/pawb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/pawd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/rid/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/tned/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/vtd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/wvnb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > > > > > > > Path : > > /app01/apachemq/wvsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.jar > > Installed version : 1.2.17 > > According to its self-reported version number, the installation of > > Apache Log4j on the remote host is 1.x and is no longer supported. > > Log4j reached its end of life prior to 2016. Additionally, Log4j 1.x > > is affected by multiple vulnerabilities, including : > > > > - Log4j includes a SocketServer that accepts serialized log events and > > deserializes them without verifying whether the objects are allowed > or > > not. This can provide an attack vector that can be exploited. > > (CVE-2019-17571) > > > > - Improper validation of certificate with host mismatch in Apache Log4j > > SMTP appender. This could allow an SMTPS connection to be intercepted > > by a man-in-the-middle attack which could leak any log messages sent > > through that appender. (CVE-2020-9488) > > > > - JMSSink uses JNDI in an unprotected manner allowing any application > > using the JMSSink to be vulnerable if it is configured to reference > an > > untrusted site or if the site referenced can be accesseed by the > attacker. > > (CVE-2022-23302) > > > > Lack of support implies that no new security patches for the product > > will be released by the vendor. As a result, it is likely to contain > > security vulnerabilities. > > Apache Log4j 1.x Multiple Vulnerabilities > > > > > > > > Thanks & Regards > > Vishnu Middela > > > > > CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary. > Exercise caution when opening attachments or clicking on links. > >
