Hi, After upgrading the java version to 11, I was able to start MQ instance, but when I copy activemq.xml from older version of MQ (5.14.5), I am not able to start the MQ instance on (5.18.3).
cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/activemq.xml /app01/apachemq/apache-activemq-5.18.3/conf Below is the error that I see in the logs.. Any help is appreciated. 2024-02-01 17:51:51,197 | ERROR | Failed to load: class path resource [activemq.xml], reason: Failed to load type: io.fabric8.insight.log.log4j.Log4jLogQuery. Reason: java.lang.ClassNotFoundException: io.fabric8.insight.log.log4j.Log4jLogQuery; nested exception is java.lang.ClassNotFoundException: io.fabric8.insight.log.log4j.Log4jLogQuery | org.apache.activemq.xbean.XBeanBrokerFactory | main org.springframework.beans.factory.BeanDefinitionStoreException: Failed to load type: io.fabric8.insight.log.log4j.Log4jLogQuery. Reason: java.lang.ClassNotFoundException: io.fabric8.insight.log.log4j.Log4jLogQuery; nested exception is java.lang.ClassNotFoundException: io.fabric8.insight.log.log4j.Log4jLogQuery at org.apache.xbean.spring.context.v2c.XBeanQNameHelper.getBeanInfo(XBeanQNameHelper.java:75) Thanks & Regards Vishnu Middela -----Original Message----- From: Vishnu Middela <vishnu_midd...@ao.uscourts.gov> Sent: Wednesday, January 31, 2024 9:13 AM To: users@activemq.apache.org Subject: RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade Hi, Current Java version we have on our system is as below, does this needs to be upgraded too for ApacheMQ classic 5.18.3 to be up and running /app01/apachemq/apache-activemq-5.18.3/bin [bodi@aoedw-e-app3009 bin]$ java -version openjdk version "1.8.0_392" OpenJDK Runtime Environment (build 1.8.0_392-b08) OpenJDK 64-Bit Server VM (build 25.392-b08, mixed mode) Thanks & Regards Vishnu Middela -----Original Message----- From: Vishnu Middela <vishnu_midd...@ao.uscourts.gov> Sent: Tuesday, January 30, 2024 7:15 AM To: users@activemq.apache.org Subject: RE: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade HI, Below is the confirmation that activemq.log being empty.. -rwx------. 1 bodi bodi 0 Oct 24 15:32 activemq.log drwx------. 2 bodi bodi 4096 Jan 29 17:31 kahadb -rw-------. 1 bodi bodi 4 Jan 29 20:02 activemq.pid [bodi@aoedw-e-app3009 data]$ cat activemq.log [bodi@aoedw-e-app3009 data]$ Re iterating the steps followed for upgrade from 5.14.5 to 5.18.3 1. Stop the ActiveMQ server process [bodi@aoedw-e-app3009 bin]$ ./activemq stop 2.Extract new ActiveMQ release -rw-------. 1 bodi bodi 49549502 Jan 25 15:19 apache-activemq-5.18.3-bin.tar.gz drwx------. 12 bodi bodi 220 Jan 29 17:02 apache-activemq-5.14.5 [bodi@aoedw-e-app3009 tc6v]$ tar zxvf apache-activemq-5.18.3-bin.tar.gz 3. Copy any config files from the old conf folder Copy ActiveMQ broker configuration file [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/activemq.xml /app01/apachemq/tc6v/apache-activemq-5.18.3/conf Copy users, groups and passwords [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/users.properties /app01/apachemq/tc6v/apache-activemq-5.18.3/conf Copy below two jetty files [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/jetty.xml /app01/apachemq/tc6v/apache-activemq-5.18.3/conf [bodi@aoedw-e-app3009 conf]$ cp /app01/apachemq/tc6v/apache-activemq-5.14.5/conf/jetty-realm.properties /app01/apachemq/tc6v/apache-activemq-5.18.3/conf 4.Copy Environment file from old to new folder cp /app01/apachemq/tc6v/apache-activemq-5.14.5/bin/env /app01/apachemq/tc6v/apache-activemq-5.18.3/bin 5. Copy kahadb folder over to recover any messages [bodi@aoedw-e-app3009 data]$ cp -r /app01/apachemq/tc6v/apache-activemq-5.14.5/data/kahadb /app01/apachemq/tc6v/apache-activemq-5.18.3/data 6. Start ActiveMQ [bodi@aoedw-e-app3009 bin]$ ./activemq start Thanks & Regards Vishnu Middela -----Original Message----- From: Justin Bertram <jbert...@apache.org> Sent: Monday, January 29, 2024 9:18 PM To: users@activemq.apache.org Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache ActiveMQ classic version upgrade CAUTION - EXTERNAL: Your screenshot didn't make it through. Justin On Mon, Jan 29, 2024 at 7:06 PM Vishnu Middela < vishnu_midd...@ao.uscourts.gov> wrote: > Hi Justin, > > I don’t see anything in the logs either.. > > > > > > > > > > Thanks & Regards > > Vishnu Middela > > > > -----Original Message----- > From: Justin Bertram <jbert...@apache.org> > Sent: Monday, January 29, 2024 7:47 PM > To: users@activemq.apache.org > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities--Apache > ActiveMQ classic version upgrade > > > > CAUTION - EXTERNAL: > > > > > > Your output doesn't indicate any problems. Everything looks normal as > far as I can tell. This is the same output I see when I execute > "activemq start" on a default instance of ActiveMQ Classic 5.18.3. > > > > I recommend you check the output in data/activemq.log to see if the > broker started up properly. > > > > > > Justin > > > > On Mon, Jan 29, 2024 at 5:50 PM Vishnu Middela < > vishnu_midd...@ao.uscourts.gov> wrote: > > > > > Hi, > > > Attached are the steps that are followed to upgrade > > ApacheMQ > > > classic from 5.15.8 to 5.18.3 > > > > > > Only message I see is as below after trying to start activemq. > > Please > > > let me know if I missed any steps and how to debug this issue. > > > > > > [bodi@aoedw-e-app3009 bin]$ ./activemq start > > > INFO: Loading '/app01/apachemq/tc6v/apache-activemq-5.18.3//bin/env' > > > INFO: Using java '/usr/bin/java' > > > INFO: Starting - inspect logfiles specified in logging.properties > > and > > > log4j2.properties to get details > > > INFO: pidfile created : > > > '/app01/apachemq/tc6v/apache-activemq-5.18.3//data/activemq.pid' > > (pid > > > '18302') > > > > > > Thanks & Regards > > > Vishnu Middela > > > > > > -----Original Message----- > > > From: Justin Bertram <jbert...@apache.org> > > > Sent: Tuesday, January 16, 2024 1:43 PM > > > To: users@activemq.apache.org > > > Subject: Re: Apache Log4j 1.x Multiple Vulnerabilities > > > > > > CAUTION - EXTERNAL: > > > > > > > > > ActiveMQ Classic 5.15.8 was released in early 2019, almost 5 years > > ago > now. > > > Since then, in part to deal with security issues, the logging > > > implementation changed to Reload4j and then eventually to Log4j 2. > > The > > > best way you can mitigate security issues is to stay up-to-date. I > > > strongly recommend you migrate to the latest release of ActiveMQ > > > Classic 5.x which is 5.18.3 [2]. > > > > > > If you don't want to or can't upgrade for some reason then you can > > > remove log4j-1.2.17.jar and drop in reload4j-1.2.25.jar [3] as it > > was > > > designed to be binary compatible. That will resolve CVE-2019-17571, > > > CVE-2020-9488, & CVE-2022-23302. > > > > > > > > > Justin > > > > > > [1] https://reload4j.qos.ch/ > > > [2] https://activemq.apache.org/components/classic/download/ > > > [3] > > > > > > https://repo1.maven.org/maven2/ch/qos/reload4j/reload4j/1.2.25/reloa > > d4 > > > j-1.2.25.jar > > > > > > On Tue, Jan 16, 2024 at 12:26 PM Vishnu Middela < > > > vishnu_midd...@ao.uscourts.gov> wrote: > > > > > > > Hi, > > > > Security team had raised concern on Log4j vulnerabilities > > > > for Apache Active MQ. > > > > > > > > Our current Apache Active MQ version is 5.15.8. > > > > > > > > Can you please let us know how we can avoid these Log4J > vulnerabilities. > > > > > > > > Also below is the sample report attached. > > > > > > > > Plugin Output: > > > > Path : /app01/apachemq/HermesJMS/lib/log4j-1.2.15.jar > > > > Installed version : 1.2.15 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/nyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/nyed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/nynd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/nysd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/nceb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/ncwb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/njb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j > ar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/njd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j > ar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/ohnd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/ohsb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/ohsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/almd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > /app01/apachemq/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j > > > ar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/ctd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j > ar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/dcb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j > ar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/kyeb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/kywb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/kywd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/paed/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/pawb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/pawd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/rid/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j > ar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/tned/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/vtd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17.j > ar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/wvnb/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > > > > > > > > > > > > > Path : > > > > > /app01/apachemq/wvsd/apache-activemq-5.15.8/lib/optional/log4j-1.2.17. > jar > > > > Installed version : 1.2.17 > > > > According to its self-reported version number, the installation of > > > > Apache Log4j on the remote host is 1.x and is no longer supported. > > > > Log4j reached its end of life prior to 2016. Additionally, Log4j > > > 1.x > > > > is affected by multiple vulnerabilities, including : > > > > > > > > - Log4j includes a SocketServer that accepts serialized log > > > events > and > > > > deserializes them without verifying whether the objects are allowed > > > or > > > > not. This can provide an attack vector that can be exploited. > > > > (CVE-2019-17571) > > > > > > > > - Improper validation of certificate with host mismatch in > > > Apache > Log4j > > > > SMTP appender. This could allow an SMTPS connection to be > intercepted > > > > by a man-in-the-middle attack which could leak any log messages > > > sent > > > > through that appender. (CVE-2020-9488) > > > > > > > > - JMSSink uses JNDI in an unprotected manner allowing any > > > application > > > > using the JMSSink to be vulnerable if it is configured to reference > > > an > > > > untrusted site or if the site referenced can be accesseed by the > > > attacker. > > > > (CVE-2022-23302) > > > > > > > > Lack of support implies that no new security patches for the > > > product > > > > will be released by the vendor. As a result, it is likely to > > > contain > > > > security vulnerabilities. > > > > Apache Log4j 1.x Multiple Vulnerabilities > > > > > > > > > > > > > > > > Thanks & Regards > > > > Vishnu Middela > > > > > > > > > > > CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary. > > > Exercise caution when opening attachments or clicking on links. > > > > > > > > CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary. > Exercise caution when opening attachments or clicking on links. > > > CAUTION - EXTERNAL EMAIL: This email originated outside the Judiciary. Exercise caution when opening attachments or clicking on links.