You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Deepti Sharma S <de...@ericsson.com.INVALID> on 2022/01/08 10:35:56 UTC
Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Hello Team,
As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical), can you please confirm, when we have ActiveMQ all, version release which has this vulnerability fix and has Log4J version 2.17?
Regards,
Deepti Sharma
PMP(r) & ITIL
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by JB Onofré <jb...@nanthrax.net>.
February as already said on the mailing list.
> Le 8 janv. 2022 à 18:42, Deepti Sharma S <de...@ericsson.com.invalid> a écrit :
>
> Hello Jean,
>
> When is the plan to release 5.17.x version?
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> -----Original Message-----
> From: Jean-Baptiste Onofre <jb...@nanthrax.net>
> Sent: Saturday, January 8, 2022 9:37 PM
> To: users@activemq.apache.org
> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
>
> Hi Tim,
>
> Good idea, I think it would be helpful to have it directly on index page and contact yeah.
>
> I can do the change if everyone agree.
>
> Thanks !
>
> Regards
> JB
>
>> Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
>>
>> JB, should we put that link somewhere prominent on
>> https://activemq.apache.org/contact for a few months? I believe all
>> the users who posted questions about the CVE were first-time posters
>> who likely went to that page before posting questions, so we might be
>> able to save everyone the time and frustration by heading off the question for folks.
>>
>> Tim
>>
>>> On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre <jb...@nanthrax.net> wrote:
>>>
>>> Hi,
>>>
>>> Again, a new time:
>>>
>>> https://activemq.apache.org/news/cve-2021-44228
>>>
>>> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE because
>>> they are using log4j 1.x
>>>
>>> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
>>>
>>> Regards
>>> JB
>>>
>>>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
>>>> <de...@ericsson.com.INVALID>
>>> a écrit :
>>>>
>>>> Hello Team,
>>>>
>>>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical),
>>>> can
>>> you please confirm, when we have ActiveMQ all, version release which
>>> has this vulnerability fix and has Log4J version 2.17?
>>>>
>>>>
>>>>
>>>> Regards,
>>>> Deepti Sharma
>>>> PMP(r) & ITIL
>>>>
>>>>
>>>
>>>
RE: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Deepti Sharma S <de...@ericsson.com.INVALID>.
Hello Jean,
When is the plan to release 5.17.x version?
Regards,
Deepti Sharma
PMP® & ITIL
-----Original Message-----
From: Jean-Baptiste Onofre <jb...@nanthrax.net>
Sent: Saturday, January 8, 2022 9:37 PM
To: users@activemq.apache.org
Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Hi Tim,
Good idea, I think it would be helpful to have it directly on index page and contact yeah.
I can do the change if everyone agree.
Thanks !
Regards
JB
> Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
>
> JB, should we put that link somewhere prominent on
> https://activemq.apache.org/contact for a few months? I believe all
> the users who posted questions about the CVE were first-time posters
> who likely went to that page before posting questions, so we might be
> able to save everyone the time and frustration by heading off the question for folks.
>
> Tim
>
> On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre <jb...@nanthrax.net> wrote:
>
>> Hi,
>>
>> Again, a new time:
>>
>> https://activemq.apache.org/news/cve-2021-44228
>>
>> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE because
>> they are using log4j 1.x
>>
>> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
>>
>> Regards
>> JB
>>
>>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
>>> <de...@ericsson.com.INVALID>
>> a écrit :
>>>
>>> Hello Team,
>>>
>>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical),
>>> can
>> you please confirm, when we have ActiveMQ all, version release which
>> has this vulnerability fix and has Log4J version 2.17?
>>>
>>>
>>>
>>> Regards,
>>> Deepti Sharma
>>> PMP(r) & ITIL
>>>
>>>
>>
>>
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Matt Pavlovich <ma...@gmail.com>.
Hello Deepti-
ActiveMQ 5.16.2 and 5.16.3 are _not_ vulnerable to CVE-2021-44228.
Thanks,
Matt
> On Feb 7, 2022, at 11:32 AM, Deepti Sharma S <de...@ericsson.com.INVALID> wrote:
>
> Hello Matt,
>
> We are using ActiveMQ all version 5.16.2 and 5.16.3.
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> -----Original Message-----
> From: Matt Pavlovich <ma...@gmail.com>
> Sent: Monday, February 7, 2022 10:50 PM
> To: users@activemq.apache.org
> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
>
> Hello Deepti-
>
> What version of ActiveMQ are you using? I suspect that you have incorrect information about CVE-2021-44228 and ActiveMQ.
>
> -Matt Pavlovich
>
>> On Feb 7, 2022, at 6:20 AM, Deepti Sharma S <de...@ericsson.com.INVALID> wrote:
>>
>> Hello Justin,
>>
>> I would like to follow-up on the release date of ActiveMQ 5.17.x version. I have seen the below thread, however could not found the exact date/week for the same.
>>
>> Could you please help here?
>>
>> Also can we build the ActiveMQ and upgrade the Log4J2.x on our own, can you please help to understand the procedure for the same.
>>
>>
>> Regards,
>> Deepti Sharma
>> PMP® & ITIL
>>
>>
>> -----Original Message-----
>> From: Justin Bertram <jb...@apache.org>
>> Sent: Tuesday, January 18, 2022 9:09 PM
>> To: users@activemq.apache.org
>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
>> (Critical)
>>
>>> when we download the Active Mq from below Maven link the jar name is "
>> ActiveMQ all", however I could not found this from Active MQ website.
>>
>> All Maven artifacts are built from the source code. You can find links to all the ActiveMQ source code repositories on the website [1]. You need to look in the actual repository to see the code for a specific Maven module like "activemq-all" which can be found here [2].
>>
>>> I might miss the release date for 5.17...
>>
>> If you miss anything on the users mailing list you can go back and review the archive [3] which is linked from the website [4].
>>
>>
>> Justin
>>
>> [1] https://activemq.apache.org/contributing
>> [2]
>> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
>> 5555731-6ccda375f1ae0b10&q=1&e=8096bb19-015a-4b40-a864-13aaa0443b5a&u=
>> https%3A%2F%2Fgithub.com%2Fapache%2Factivemq%2Ftree%2Fmain%2Factivemq-
>> all [3] https://lists.apache.org/list.html?users@activemq.apache.org
>> [4] https://activemq.apache.org/contact
>>
>> On Tue, Jan 18, 2022 at 9:06 AM Deepti Sharma S <de...@ericsson.com.invalid> wrote:
>>
>>> Hello Justin,
>>>
>>> The question is , when we download the Active Mq from below Maven
>>> link the jar name is " ActiveMQ all", however I could not found this
>>> from Active MQ website.
>>>
>>> I might miss the release date for 5.17, it would be helpful, if you
>>> could confirm the release date for the same.
>>>
>>>
>>> Regards,
>>> Deepti Sharma
>>> PMP® & ITIL
>>>
>>>
>>> -----Original Message-----
>>> From: Justin Bertram <jb...@apache.org>
>>> Sent: Tuesday, January 18, 2022 8:33 PM
>>> To: users@activemq.apache.org
>>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
>>> (Critical)
>>>
>>>> Does Active MQ all (//
>>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
>>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
>>> Active MQ Classic?
>>>
>>> I don't understand the question. What exactly are you asking here?
>>>
>>>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>>>
>>> This question has *already* been answered on this thread (and many
>>> other places on this mailing list).
>>>
>>>
>>> Justin
>>>
>>> On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S <
>>> deepti.s.sharma@ericsson.com.invalid> wrote:
>>>
>>>> Hello All,
>>>>
>>>> 2 questions:
>>>> Does Active MQ all (//
>>>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
>>>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
>>>> Active MQ Classic?
>>>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>>>>
>>>>
>>>> Regards,
>>>> Deepti Sharma
>>>> PMP® & ITIL
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Justin Bertram <jb...@apache.org>
>>>> Sent: Sunday, January 9, 2022 1:29 AM
>>>> To: users@activemq.apache.org
>>>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
>>>> (Critical)
>>>>
>>>> For what it's worth, it's already noted on the index page as well as
>>>> the "News" page as well as noted in multiple emails on both the
>>>> users and dev mailing lists. Even searches for "activemq
>>>> CVE-2021-44228" on DuckDuckGo, Google, or Bing provide the relevant
>>>> information in the
>>> first few results.
>>>> In my opinion if folks aren't finding the information it's because
>>>> they aren't looking. There's always going to be folks like that
>>> unfortunately.
>>>>
>>>>
>>>> Justin
>>>>
>>>>
>>>> On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre
>>>> <jb...@nanthrax.net>
>>>> wrote:
>>>>
>>>>> Hi Tim,
>>>>>
>>>>> Good idea, I think it would be helpful to have it directly on index
>>>>> page and contact yeah.
>>>>>
>>>>> I can do the change if everyone agree.
>>>>>
>>>>> Thanks !
>>>>>
>>>>> Regards
>>>>> JB
>>>>>
>>>>>> Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
>>>>>>
>>>>>> JB, should we put that link somewhere prominent on
>>>>>> https://activemq.apache.org/contact for a few months? I believe
>>>>>> all the users who posted questions about the CVE were first-time
>>>>>> posters who
>>>>> likely
>>>>>> went to that page before posting questions, so we might be able to
>>>>>> save everyone the time and frustration by heading off the question
>>>>>> for
>>>> folks.
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>> On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre
>>>>>> <jb...@nanthrax.net>
>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Again, a new time:
>>>>>>>
>>>>>>> https://activemq.apache.org/news/cve-2021-44228
>>>>>>>
>>>>>>> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE
>>>>>>> because they are using log4j 1.x
>>>>>>>
>>>>>>> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
>>>>>>>
>>>>>>> Regards
>>>>>>> JB
>>>>>>>
>>>>>>>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
>>>>>>>> <deepti.s.sharma@ericsson.com
>>>>> .INVALID>
>>>>>>> a écrit :
>>>>>>>>
>>>>>>>> Hello Team,
>>>>>>>>
>>>>>>>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
>>>>>>>> (Critical),
>>>>> can
>>>>>>> you please confirm, when we have ActiveMQ all, version release
>>>>>>> which has this vulnerability fix and has Log4J version 2.17?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Deepti Sharma
>>>>>>>> PMP(r) & ITIL
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
>
RE: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Deepti Sharma S <de...@ericsson.com.INVALID>.
Hello Matt,
We are using ActiveMQ all version 5.16.2 and 5.16.3.
Regards,
Deepti Sharma
PMP® & ITIL
-----Original Message-----
From: Matt Pavlovich <ma...@gmail.com>
Sent: Monday, February 7, 2022 10:50 PM
To: users@activemq.apache.org
Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Hello Deepti-
What version of ActiveMQ are you using? I suspect that you have incorrect information about CVE-2021-44228 and ActiveMQ.
-Matt Pavlovich
> On Feb 7, 2022, at 6:20 AM, Deepti Sharma S <de...@ericsson.com.INVALID> wrote:
>
> Hello Justin,
>
> I would like to follow-up on the release date of ActiveMQ 5.17.x version. I have seen the below thread, however could not found the exact date/week for the same.
>
> Could you please help here?
>
> Also can we build the ActiveMQ and upgrade the Log4J2.x on our own, can you please help to understand the procedure for the same.
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Tuesday, January 18, 2022 9:09 PM
> To: users@activemq.apache.org
> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
> (Critical)
>
>> when we download the Active Mq from below Maven link the jar name is "
> ActiveMQ all", however I could not found this from Active MQ website.
>
> All Maven artifacts are built from the source code. You can find links to all the ActiveMQ source code repositories on the website [1]. You need to look in the actual repository to see the code for a specific Maven module like "activemq-all" which can be found here [2].
>
>> I might miss the release date for 5.17...
>
> If you miss anything on the users mailing list you can go back and review the archive [3] which is linked from the website [4].
>
>
> Justin
>
> [1] https://activemq.apache.org/contributing
> [2]
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
> 5555731-6ccda375f1ae0b10&q=1&e=8096bb19-015a-4b40-a864-13aaa0443b5a&u=
> https%3A%2F%2Fgithub.com%2Fapache%2Factivemq%2Ftree%2Fmain%2Factivemq-
> all [3] https://lists.apache.org/list.html?users@activemq.apache.org
> [4] https://activemq.apache.org/contact
>
> On Tue, Jan 18, 2022 at 9:06 AM Deepti Sharma S <de...@ericsson.com.invalid> wrote:
>
>> Hello Justin,
>>
>> The question is , when we download the Active Mq from below Maven
>> link the jar name is " ActiveMQ all", however I could not found this
>> from Active MQ website.
>>
>> I might miss the release date for 5.17, it would be helpful, if you
>> could confirm the release date for the same.
>>
>>
>> Regards,
>> Deepti Sharma
>> PMP® & ITIL
>>
>>
>> -----Original Message-----
>> From: Justin Bertram <jb...@apache.org>
>> Sent: Tuesday, January 18, 2022 8:33 PM
>> To: users@activemq.apache.org
>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
>> (Critical)
>>
>>> Does Active MQ all (//
>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
>> Active MQ Classic?
>>
>> I don't understand the question. What exactly are you asking here?
>>
>>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>>
>> This question has *already* been answered on this thread (and many
>> other places on this mailing list).
>>
>>
>> Justin
>>
>> On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S <
>> deepti.s.sharma@ericsson.com.invalid> wrote:
>>
>>> Hello All,
>>>
>>> 2 questions:
>>> Does Active MQ all (//
>>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
>>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
>>> Active MQ Classic?
>>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>>>
>>>
>>> Regards,
>>> Deepti Sharma
>>> PMP® & ITIL
>>>
>>>
>>> -----Original Message-----
>>> From: Justin Bertram <jb...@apache.org>
>>> Sent: Sunday, January 9, 2022 1:29 AM
>>> To: users@activemq.apache.org
>>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
>>> (Critical)
>>>
>>> For what it's worth, it's already noted on the index page as well as
>>> the "News" page as well as noted in multiple emails on both the
>>> users and dev mailing lists. Even searches for "activemq
>>> CVE-2021-44228" on DuckDuckGo, Google, or Bing provide the relevant
>>> information in the
>> first few results.
>>> In my opinion if folks aren't finding the information it's because
>>> they aren't looking. There's always going to be folks like that
>> unfortunately.
>>>
>>>
>>> Justin
>>>
>>>
>>> On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre
>>> <jb...@nanthrax.net>
>>> wrote:
>>>
>>>> Hi Tim,
>>>>
>>>> Good idea, I think it would be helpful to have it directly on index
>>>> page and contact yeah.
>>>>
>>>> I can do the change if everyone agree.
>>>>
>>>> Thanks !
>>>>
>>>> Regards
>>>> JB
>>>>
>>>>> Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
>>>>>
>>>>> JB, should we put that link somewhere prominent on
>>>>> https://activemq.apache.org/contact for a few months? I believe
>>>>> all the users who posted questions about the CVE were first-time
>>>>> posters who
>>>> likely
>>>>> went to that page before posting questions, so we might be able to
>>>>> save everyone the time and frustration by heading off the question
>>>>> for
>>> folks.
>>>>>
>>>>> Tim
>>>>>
>>>>> On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre
>>>>> <jb...@nanthrax.net>
>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Again, a new time:
>>>>>>
>>>>>> https://activemq.apache.org/news/cve-2021-44228
>>>>>>
>>>>>> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE
>>>>>> because they are using log4j 1.x
>>>>>>
>>>>>> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
>>>>>>
>>>>>> Regards
>>>>>> JB
>>>>>>
>>>>>>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
>>>>>>> <deepti.s.sharma@ericsson.com
>>>> .INVALID>
>>>>>> a écrit :
>>>>>>>
>>>>>>> Hello Team,
>>>>>>>
>>>>>>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
>>>>>>> (Critical),
>>>> can
>>>>>> you please confirm, when we have ActiveMQ all, version release
>>>>>> which has this vulnerability fix and has Log4J version 2.17?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Deepti Sharma
>>>>>>> PMP(r) & ITIL
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Matt Pavlovich <ma...@gmail.com>.
Hello Deepti-
What version of ActiveMQ are you using? I suspect that you have incorrect information about CVE-2021-44228 and ActiveMQ.
-Matt Pavlovich
> On Feb 7, 2022, at 6:20 AM, Deepti Sharma S <de...@ericsson.com.INVALID> wrote:
>
> Hello Justin,
>
> I would like to follow-up on the release date of ActiveMQ 5.17.x version. I have seen the below thread, however could not found the exact date/week for the same.
>
> Could you please help here?
>
> Also can we build the ActiveMQ and upgrade the Log4J2.x on our own, can you please help to understand the procedure for the same.
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Tuesday, January 18, 2022 9:09 PM
> To: users@activemq.apache.org
> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
>
>> when we download the Active Mq from below Maven link the jar name is "
> ActiveMQ all", however I could not found this from Active MQ website.
>
> All Maven artifacts are built from the source code. You can find links to all the ActiveMQ source code repositories on the website [1]. You need to look in the actual repository to see the code for a specific Maven module like "activemq-all" which can be found here [2].
>
>> I might miss the release date for 5.17...
>
> If you miss anything on the users mailing list you can go back and review the archive [3] which is linked from the website [4].
>
>
> Justin
>
> [1] https://activemq.apache.org/contributing
> [2] https://github.com/apache/activemq/tree/main/activemq-all
> [3] https://lists.apache.org/list.html?users@activemq.apache.org
> [4] https://activemq.apache.org/contact
>
> On Tue, Jan 18, 2022 at 9:06 AM Deepti Sharma S <de...@ericsson.com.invalid> wrote:
>
>> Hello Justin,
>>
>> The question is , when we download the Active Mq from below Maven link
>> the jar name is " ActiveMQ all", however I could not found this from
>> Active MQ website.
>>
>> I might miss the release date for 5.17, it would be helpful, if you
>> could confirm the release date for the same.
>>
>>
>> Regards,
>> Deepti Sharma
>> PMP® & ITIL
>>
>>
>> -----Original Message-----
>> From: Justin Bertram <jb...@apache.org>
>> Sent: Tuesday, January 18, 2022 8:33 PM
>> To: users@activemq.apache.org
>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
>> (Critical)
>>
>>> Does Active MQ all (//
>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
>> Active MQ Classic?
>>
>> I don't understand the question. What exactly are you asking here?
>>
>>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>>
>> This question has *already* been answered on this thread (and many
>> other places on this mailing list).
>>
>>
>> Justin
>>
>> On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S <
>> deepti.s.sharma@ericsson.com.invalid> wrote:
>>
>>> Hello All,
>>>
>>> 2 questions:
>>> Does Active MQ all (//
>>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
>>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
>>> Active MQ Classic?
>>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>>>
>>>
>>> Regards,
>>> Deepti Sharma
>>> PMP® & ITIL
>>>
>>>
>>> -----Original Message-----
>>> From: Justin Bertram <jb...@apache.org>
>>> Sent: Sunday, January 9, 2022 1:29 AM
>>> To: users@activemq.apache.org
>>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
>>> (Critical)
>>>
>>> For what it's worth, it's already noted on the index page as well as
>>> the "News" page as well as noted in multiple emails on both the
>>> users and dev mailing lists. Even searches for "activemq
>>> CVE-2021-44228" on DuckDuckGo, Google, or Bing provide the relevant
>>> information in the
>> first few results.
>>> In my opinion if folks aren't finding the information it's because
>>> they aren't looking. There's always going to be folks like that
>> unfortunately.
>>>
>>>
>>> Justin
>>>
>>>
>>> On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre
>>> <jb...@nanthrax.net>
>>> wrote:
>>>
>>>> Hi Tim,
>>>>
>>>> Good idea, I think it would be helpful to have it directly on
>>>> index page and contact yeah.
>>>>
>>>> I can do the change if everyone agree.
>>>>
>>>> Thanks !
>>>>
>>>> Regards
>>>> JB
>>>>
>>>>> Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
>>>>>
>>>>> JB, should we put that link somewhere prominent on
>>>>> https://activemq.apache.org/contact for a few months? I believe
>>>>> all the users who posted questions about the CVE were first-time
>>>>> posters who
>>>> likely
>>>>> went to that page before posting questions, so we might be able
>>>>> to save everyone the time and frustration by heading off the
>>>>> question for
>>> folks.
>>>>>
>>>>> Tim
>>>>>
>>>>> On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre
>>>>> <jb...@nanthrax.net>
>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Again, a new time:
>>>>>>
>>>>>> https://activemq.apache.org/news/cve-2021-44228
>>>>>>
>>>>>> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE
>>>>>> because they are using log4j 1.x
>>>>>>
>>>>>> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
>>>>>>
>>>>>> Regards
>>>>>> JB
>>>>>>
>>>>>>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
>>>>>>> <deepti.s.sharma@ericsson.com
>>>> .INVALID>
>>>>>> a écrit :
>>>>>>>
>>>>>>> Hello Team,
>>>>>>>
>>>>>>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
>>>>>>> (Critical),
>>>> can
>>>>>> you please confirm, when we have ActiveMQ all, version release
>>>>>> which has this vulnerability fix and has Log4J version 2.17?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Deepti Sharma
>>>>>>> PMP(r) & ITIL
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Justin Bertram <jb...@apache.org>.
> I would like to follow-up on the release date of ActiveMQ 5.17.x version.
I have seen the below thread, however could not found the exact date/week
for the same.
As noted previously, there is no exact release date. There is only a
projection about when the release will go up for a vote.
Previously it was projected that the release would go up for a vote in
early February. However, right before that time came a few issues were
discovered with some of the commits. Those issues need to be resolved
before the release can be put to a vote. I don't know what the current
projection is. I assume it's as-soon-as-possible.
Justin
On Mon, Feb 7, 2022 at 6:21 AM Deepti Sharma S
<de...@ericsson.com.invalid> wrote:
> Hello Justin,
>
> I would like to follow-up on the release date of ActiveMQ 5.17.x version.
> I have seen the below thread, however could not found the exact date/week
> for the same.
>
> Could you please help here?
>
> Also can we build the ActiveMQ and upgrade the Log4J2.x on our own, can
> you please help to understand the procedure for the same.
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Tuesday, January 18, 2022 9:09 PM
> To: users@activemq.apache.org
> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
>
> > when we download the Active Mq from below Maven link the jar name is "
> ActiveMQ all", however I could not found this from Active MQ website.
>
> All Maven artifacts are built from the source code. You can find links to
> all the ActiveMQ source code repositories on the website [1]. You need to
> look in the actual repository to see the code for a specific Maven module
> like "activemq-all" which can be found here [2].
>
> > I might miss the release date for 5.17...
>
> If you miss anything on the users mailing list you can go back and review
> the archive [3] which is linked from the website [4].
>
>
> Justin
>
> [1] https://activemq.apache.org/contributing
> [2] https://github.com/apache/activemq/tree/main/activemq-all
> [3] https://lists.apache.org/list.html?users@activemq.apache.org
> [4] https://activemq.apache.org/contact
>
> On Tue, Jan 18, 2022 at 9:06 AM Deepti Sharma S <
> deepti.s.sharma@ericsson.com.invalid> wrote:
>
> > Hello Justin,
> >
> > The question is , when we download the Active Mq from below Maven link
> > the jar name is " ActiveMQ all", however I could not found this from
> > Active MQ website.
> >
> > I might miss the release date for 5.17, it would be helpful, if you
> > could confirm the release date for the same.
> >
> >
> > Regards,
> > Deepti Sharma
> > PMP® & ITIL
> >
> >
> > -----Original Message-----
> > From: Justin Bertram <jb...@apache.org>
> > Sent: Tuesday, January 18, 2022 8:33 PM
> > To: users@activemq.apache.org
> > Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
> > (Critical)
> >
> > > Does Active MQ all (//
> > https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
> > implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
> > Active MQ Classic?
> >
> > I don't understand the question. What exactly are you asking here?
> >
> > > When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
> >
> > This question has *already* been answered on this thread (and many
> > other places on this mailing list).
> >
> >
> > Justin
> >
> > On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S <
> > deepti.s.sharma@ericsson.com.invalid> wrote:
> >
> > > Hello All,
> > >
> > > 2 questions:
> > > Does Active MQ all (//
> > > https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
> > > implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
> > > Active MQ Classic?
> > > When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
> > >
> > >
> > > Regards,
> > > Deepti Sharma
> > > PMP® & ITIL
> > >
> > >
> > > -----Original Message-----
> > > From: Justin Bertram <jb...@apache.org>
> > > Sent: Sunday, January 9, 2022 1:29 AM
> > > To: users@activemq.apache.org
> > > Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
> > > (Critical)
> > >
> > > For what it's worth, it's already noted on the index page as well as
> > > the "News" page as well as noted in multiple emails on both the
> > > users and dev mailing lists. Even searches for "activemq
> > > CVE-2021-44228" on DuckDuckGo, Google, or Bing provide the relevant
> > > information in the
> > first few results.
> > > In my opinion if folks aren't finding the information it's because
> > > they aren't looking. There's always going to be folks like that
> > unfortunately.
> > >
> > >
> > > Justin
> > >
> > >
> > > On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre
> > > <jb...@nanthrax.net>
> > > wrote:
> > >
> > > > Hi Tim,
> > > >
> > > > Good idea, I think it would be helpful to have it directly on
> > > > index page and contact yeah.
> > > >
> > > > I can do the change if everyone agree.
> > > >
> > > > Thanks !
> > > >
> > > > Regards
> > > > JB
> > > >
> > > > > Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit
> :
> > > > >
> > > > > JB, should we put that link somewhere prominent on
> > > > > https://activemq.apache.org/contact for a few months? I believe
> > > > > all the users who posted questions about the CVE were first-time
> > > > > posters who
> > > > likely
> > > > > went to that page before posting questions, so we might be able
> > > > > to save everyone the time and frustration by heading off the
> > > > > question for
> > > folks.
> > > > >
> > > > > Tim
> > > > >
> > > > > On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre
> > > > > <jb...@nanthrax.net>
> > > > wrote:
> > > > >
> > > > >> Hi,
> > > > >>
> > > > >> Again, a new time:
> > > > >>
> > > > >> https://activemq.apache.org/news/cve-2021-44228
> > > > >>
> > > > >> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE
> > > > >> because they are using log4j 1.x
> > > > >>
> > > > >> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
> > > > >>
> > > > >> Regards
> > > > >> JB
> > > > >>
> > > > >>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
> > > > >>> <deepti.s.sharma@ericsson.com
> > > > .INVALID>
> > > > >> a écrit :
> > > > >>>
> > > > >>> Hello Team,
> > > > >>>
> > > > >>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
> > > > >>> (Critical),
> > > > can
> > > > >> you please confirm, when we have ActiveMQ all, version release
> > > > >> which has this vulnerability fix and has Log4J version 2.17?
> > > > >>>
> > > > >>>
> > > > >>>
> > > > >>> Regards,
> > > > >>> Deepti Sharma
> > > > >>> PMP(r) & ITIL
> > > > >>>
> > > > >>>
> > > > >>
> > > > >>
> > > >
> > > >
> > >
> > >
> >
> >
>
>
RE: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Deepti Sharma S <de...@ericsson.com.INVALID>.
Hello Justin,
I would like to follow-up on the release date of ActiveMQ 5.17.x version. I have seen the below thread, however could not found the exact date/week for the same.
Could you please help here?
Also can we build the ActiveMQ and upgrade the Log4J2.x on our own, can you please help to understand the procedure for the same.
Regards,
Deepti Sharma
PMP® & ITIL
-----Original Message-----
From: Justin Bertram <jb...@apache.org>
Sent: Tuesday, January 18, 2022 9:09 PM
To: users@activemq.apache.org
Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
> when we download the Active Mq from below Maven link the jar name is "
ActiveMQ all", however I could not found this from Active MQ website.
All Maven artifacts are built from the source code. You can find links to all the ActiveMQ source code repositories on the website [1]. You need to look in the actual repository to see the code for a specific Maven module like "activemq-all" which can be found here [2].
> I might miss the release date for 5.17...
If you miss anything on the users mailing list you can go back and review the archive [3] which is linked from the website [4].
Justin
[1] https://activemq.apache.org/contributing
[2] https://github.com/apache/activemq/tree/main/activemq-all
[3] https://lists.apache.org/list.html?users@activemq.apache.org
[4] https://activemq.apache.org/contact
On Tue, Jan 18, 2022 at 9:06 AM Deepti Sharma S <de...@ericsson.com.invalid> wrote:
> Hello Justin,
>
> The question is , when we download the Active Mq from below Maven link
> the jar name is " ActiveMQ all", however I could not found this from
> Active MQ website.
>
> I might miss the release date for 5.17, it would be helpful, if you
> could confirm the release date for the same.
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Tuesday, January 18, 2022 8:33 PM
> To: users@activemq.apache.org
> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
> (Critical)
>
> > Does Active MQ all (//
> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
> Active MQ Classic?
>
> I don't understand the question. What exactly are you asking here?
>
> > When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>
> This question has *already* been answered on this thread (and many
> other places on this mailing list).
>
>
> Justin
>
> On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S <
> deepti.s.sharma@ericsson.com.invalid> wrote:
>
> > Hello All,
> >
> > 2 questions:
> > Does Active MQ all (//
> > https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
> > implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
> > Active MQ Classic?
> > When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
> >
> >
> > Regards,
> > Deepti Sharma
> > PMP® & ITIL
> >
> >
> > -----Original Message-----
> > From: Justin Bertram <jb...@apache.org>
> > Sent: Sunday, January 9, 2022 1:29 AM
> > To: users@activemq.apache.org
> > Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
> > (Critical)
> >
> > For what it's worth, it's already noted on the index page as well as
> > the "News" page as well as noted in multiple emails on both the
> > users and dev mailing lists. Even searches for "activemq
> > CVE-2021-44228" on DuckDuckGo, Google, or Bing provide the relevant
> > information in the
> first few results.
> > In my opinion if folks aren't finding the information it's because
> > they aren't looking. There's always going to be folks like that
> unfortunately.
> >
> >
> > Justin
> >
> >
> > On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre
> > <jb...@nanthrax.net>
> > wrote:
> >
> > > Hi Tim,
> > >
> > > Good idea, I think it would be helpful to have it directly on
> > > index page and contact yeah.
> > >
> > > I can do the change if everyone agree.
> > >
> > > Thanks !
> > >
> > > Regards
> > > JB
> > >
> > > > Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
> > > >
> > > > JB, should we put that link somewhere prominent on
> > > > https://activemq.apache.org/contact for a few months? I believe
> > > > all the users who posted questions about the CVE were first-time
> > > > posters who
> > > likely
> > > > went to that page before posting questions, so we might be able
> > > > to save everyone the time and frustration by heading off the
> > > > question for
> > folks.
> > > >
> > > > Tim
> > > >
> > > > On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre
> > > > <jb...@nanthrax.net>
> > > wrote:
> > > >
> > > >> Hi,
> > > >>
> > > >> Again, a new time:
> > > >>
> > > >> https://activemq.apache.org/news/cve-2021-44228
> > > >>
> > > >> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE
> > > >> because they are using log4j 1.x
> > > >>
> > > >> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
> > > >>
> > > >> Regards
> > > >> JB
> > > >>
> > > >>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
> > > >>> <deepti.s.sharma@ericsson.com
> > > .INVALID>
> > > >> a écrit :
> > > >>>
> > > >>> Hello Team,
> > > >>>
> > > >>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
> > > >>> (Critical),
> > > can
> > > >> you please confirm, when we have ActiveMQ all, version release
> > > >> which has this vulnerability fix and has Log4J version 2.17?
> > > >>>
> > > >>>
> > > >>>
> > > >>> Regards,
> > > >>> Deepti Sharma
> > > >>> PMP(r) & ITIL
> > > >>>
> > > >>>
> > > >>
> > > >>
> > >
> > >
> >
> >
>
>
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Tim Bain <tb...@alumni.duke.edu>.
Deepti,
Qouting Justin from a recent thread, "the current plan is to put a release
up for vote at the end of January. All community members can vote on the
release for 3 days, and if the vote passes then the release should be done
in early February."
Tim
On Tue, Jan 18, 2022, 8:39 AM Justin Bertram <jb...@apache.org> wrote:
> > when we download the Active Mq from below Maven link the jar name is "
> ActiveMQ all", however I could not found this from Active MQ website.
>
> All Maven artifacts are built from the source code. You can find links to
> all the ActiveMQ source code repositories on the website [1]. You need to
> look in the actual repository to see the code for a specific Maven module
> like "activemq-all" which can be found here [2].
>
> > I might miss the release date for 5.17...
>
> If you miss anything on the users mailing list you can go back and review
> the archive [3] which is linked from the website [4].
>
>
> Justin
>
> [1] https://activemq.apache.org/contributing
> [2] https://github.com/apache/activemq/tree/main/activemq-all
> [3] https://lists.apache.org/list.html?users@activemq.apache.org
> [4] https://activemq.apache.org/contact
>
> On Tue, Jan 18, 2022 at 9:06 AM Deepti Sharma S
> <de...@ericsson.com.invalid> wrote:
>
> > Hello Justin,
> >
> > The question is , when we download the Active Mq from below Maven link
> the
> > jar name is " ActiveMQ all", however I could not found this from Active
> MQ
> > website.
> >
> > I might miss the release date for 5.17, it would be helpful, if you could
> > confirm the release date for the same.
> >
> >
> > Regards,
> > Deepti Sharma
> > PMP® & ITIL
> >
> >
> > -----Original Message-----
> > From: Justin Bertram <jb...@apache.org>
> > Sent: Tuesday, January 18, 2022 8:33 PM
> > To: users@activemq.apache.org
> > Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
> >
> > > Does Active MQ all (//
> > https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
> > implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
> > Active MQ Classic?
> >
> > I don't understand the question. What exactly are you asking here?
> >
> > > When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
> >
> > This question has *already* been answered on this thread (and many other
> > places on this mailing list).
> >
> >
> > Justin
> >
> > On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S <
> > deepti.s.sharma@ericsson.com.invalid> wrote:
> >
> > > Hello All,
> > >
> > > 2 questions:
> > > Does Active MQ all (//
> > > https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
> > > implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
> > > Active MQ Classic?
> > > When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
> > >
> > >
> > > Regards,
> > > Deepti Sharma
> > > PMP® & ITIL
> > >
> > >
> > > -----Original Message-----
> > > From: Justin Bertram <jb...@apache.org>
> > > Sent: Sunday, January 9, 2022 1:29 AM
> > > To: users@activemq.apache.org
> > > Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
> > > (Critical)
> > >
> > > For what it's worth, it's already noted on the index page as well as
> > > the "News" page as well as noted in multiple emails on both the users
> > > and dev mailing lists. Even searches for "activemq CVE-2021-44228" on
> > > DuckDuckGo, Google, or Bing provide the relevant information in the
> > first few results.
> > > In my opinion if folks aren't finding the information it's because
> > > they aren't looking. There's always going to be folks like that
> > unfortunately.
> > >
> > >
> > > Justin
> > >
> > >
> > > On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
> > > wrote:
> > >
> > > > Hi Tim,
> > > >
> > > > Good idea, I think it would be helpful to have it directly on index
> > > > page and contact yeah.
> > > >
> > > > I can do the change if everyone agree.
> > > >
> > > > Thanks !
> > > >
> > > > Regards
> > > > JB
> > > >
> > > > > Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit
> :
> > > > >
> > > > > JB, should we put that link somewhere prominent on
> > > > > https://activemq.apache.org/contact for a few months? I believe
> > > > > all the users who posted questions about the CVE were first-time
> > > > > posters who
> > > > likely
> > > > > went to that page before posting questions, so we might be able to
> > > > > save everyone the time and frustration by heading off the question
> > > > > for
> > > folks.
> > > > >
> > > > > Tim
> > > > >
> > > > > On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre
> > > > > <jb...@nanthrax.net>
> > > > wrote:
> > > > >
> > > > >> Hi,
> > > > >>
> > > > >> Again, a new time:
> > > > >>
> > > > >> https://activemq.apache.org/news/cve-2021-44228
> > > > >>
> > > > >> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE
> > > > >> because they are using log4j 1.x
> > > > >>
> > > > >> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
> > > > >>
> > > > >> Regards
> > > > >> JB
> > > > >>
> > > > >>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
> > > > >>> <deepti.s.sharma@ericsson.com
> > > > .INVALID>
> > > > >> a écrit :
> > > > >>>
> > > > >>> Hello Team,
> > > > >>>
> > > > >>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
> > > > >>> (Critical),
> > > > can
> > > > >> you please confirm, when we have ActiveMQ all, version release
> > > > >> which has this vulnerability fix and has Log4J version 2.17?
> > > > >>>
> > > > >>>
> > > > >>>
> > > > >>> Regards,
> > > > >>> Deepti Sharma
> > > > >>> PMP(r) & ITIL
> > > > >>>
> > > > >>>
> > > > >>
> > > > >>
> > > >
> > > >
> > >
> > >
> >
> >
>
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Justin Bertram <jb...@apache.org>.
> when we download the Active Mq from below Maven link the jar name is "
ActiveMQ all", however I could not found this from Active MQ website.
All Maven artifacts are built from the source code. You can find links to
all the ActiveMQ source code repositories on the website [1]. You need to
look in the actual repository to see the code for a specific Maven module
like "activemq-all" which can be found here [2].
> I might miss the release date for 5.17...
If you miss anything on the users mailing list you can go back and review
the archive [3] which is linked from the website [4].
Justin
[1] https://activemq.apache.org/contributing
[2] https://github.com/apache/activemq/tree/main/activemq-all
[3] https://lists.apache.org/list.html?users@activemq.apache.org
[4] https://activemq.apache.org/contact
On Tue, Jan 18, 2022 at 9:06 AM Deepti Sharma S
<de...@ericsson.com.invalid> wrote:
> Hello Justin,
>
> The question is , when we download the Active Mq from below Maven link the
> jar name is " ActiveMQ all", however I could not found this from Active MQ
> website.
>
> I might miss the release date for 5.17, it would be helpful, if you could
> confirm the release date for the same.
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Tuesday, January 18, 2022 8:33 PM
> To: users@activemq.apache.org
> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
>
> > Does Active MQ all (//
> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
> Active MQ Classic?
>
> I don't understand the question. What exactly are you asking here?
>
> > When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>
> This question has *already* been answered on this thread (and many other
> places on this mailing list).
>
>
> Justin
>
> On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S <
> deepti.s.sharma@ericsson.com.invalid> wrote:
>
> > Hello All,
> >
> > 2 questions:
> > Does Active MQ all (//
> > https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
> > implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
> > Active MQ Classic?
> > When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
> >
> >
> > Regards,
> > Deepti Sharma
> > PMP® & ITIL
> >
> >
> > -----Original Message-----
> > From: Justin Bertram <jb...@apache.org>
> > Sent: Sunday, January 9, 2022 1:29 AM
> > To: users@activemq.apache.org
> > Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
> > (Critical)
> >
> > For what it's worth, it's already noted on the index page as well as
> > the "News" page as well as noted in multiple emails on both the users
> > and dev mailing lists. Even searches for "activemq CVE-2021-44228" on
> > DuckDuckGo, Google, or Bing provide the relevant information in the
> first few results.
> > In my opinion if folks aren't finding the information it's because
> > they aren't looking. There's always going to be folks like that
> unfortunately.
> >
> >
> > Justin
> >
> >
> > On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
> > wrote:
> >
> > > Hi Tim,
> > >
> > > Good idea, I think it would be helpful to have it directly on index
> > > page and contact yeah.
> > >
> > > I can do the change if everyone agree.
> > >
> > > Thanks !
> > >
> > > Regards
> > > JB
> > >
> > > > Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
> > > >
> > > > JB, should we put that link somewhere prominent on
> > > > https://activemq.apache.org/contact for a few months? I believe
> > > > all the users who posted questions about the CVE were first-time
> > > > posters who
> > > likely
> > > > went to that page before posting questions, so we might be able to
> > > > save everyone the time and frustration by heading off the question
> > > > for
> > folks.
> > > >
> > > > Tim
> > > >
> > > > On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre
> > > > <jb...@nanthrax.net>
> > > wrote:
> > > >
> > > >> Hi,
> > > >>
> > > >> Again, a new time:
> > > >>
> > > >> https://activemq.apache.org/news/cve-2021-44228
> > > >>
> > > >> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE
> > > >> because they are using log4j 1.x
> > > >>
> > > >> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
> > > >>
> > > >> Regards
> > > >> JB
> > > >>
> > > >>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
> > > >>> <deepti.s.sharma@ericsson.com
> > > .INVALID>
> > > >> a écrit :
> > > >>>
> > > >>> Hello Team,
> > > >>>
> > > >>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
> > > >>> (Critical),
> > > can
> > > >> you please confirm, when we have ActiveMQ all, version release
> > > >> which has this vulnerability fix and has Log4J version 2.17?
> > > >>>
> > > >>>
> > > >>>
> > > >>> Regards,
> > > >>> Deepti Sharma
> > > >>> PMP(r) & ITIL
> > > >>>
> > > >>>
> > > >>
> > > >>
> > >
> > >
> >
> >
>
>
RE: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Deepti Sharma S <de...@ericsson.com.INVALID>.
Hello Justin,
The question is , when we download the Active Mq from below Maven link the jar name is " ActiveMQ all", however I could not found this from Active MQ website.
I might miss the release date for 5.17, it would be helpful, if you could confirm the release date for the same.
Regards,
Deepti Sharma
PMP® & ITIL
-----Original Message-----
From: Justin Bertram <jb...@apache.org>
Sent: Tuesday, January 18, 2022 8:33 PM
To: users@activemq.apache.org
Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
> Does Active MQ all (//
https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
implementation 'org.apache.activemq:activemq-all:5.16.3') is same as Active MQ Classic?
I don't understand the question. What exactly are you asking here?
> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
This question has *already* been answered on this thread (and many other places on this mailing list).
Justin
On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S <de...@ericsson.com.invalid> wrote:
> Hello All,
>
> 2 questions:
> Does Active MQ all (//
> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
> Active MQ Classic?
> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Sunday, January 9, 2022 1:29 AM
> To: users@activemq.apache.org
> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
> (Critical)
>
> For what it's worth, it's already noted on the index page as well as
> the "News" page as well as noted in multiple emails on both the users
> and dev mailing lists. Even searches for "activemq CVE-2021-44228" on
> DuckDuckGo, Google, or Bing provide the relevant information in the first few results.
> In my opinion if folks aren't finding the information it's because
> they aren't looking. There's always going to be folks like that unfortunately.
>
>
> Justin
>
>
> On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
> wrote:
>
> > Hi Tim,
> >
> > Good idea, I think it would be helpful to have it directly on index
> > page and contact yeah.
> >
> > I can do the change if everyone agree.
> >
> > Thanks !
> >
> > Regards
> > JB
> >
> > > Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
> > >
> > > JB, should we put that link somewhere prominent on
> > > https://activemq.apache.org/contact for a few months? I believe
> > > all the users who posted questions about the CVE were first-time
> > > posters who
> > likely
> > > went to that page before posting questions, so we might be able to
> > > save everyone the time and frustration by heading off the question
> > > for
> folks.
> > >
> > > Tim
> > >
> > > On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre
> > > <jb...@nanthrax.net>
> > wrote:
> > >
> > >> Hi,
> > >>
> > >> Again, a new time:
> > >>
> > >> https://activemq.apache.org/news/cve-2021-44228
> > >>
> > >> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE
> > >> because they are using log4j 1.x
> > >>
> > >> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
> > >>
> > >> Regards
> > >> JB
> > >>
> > >>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
> > >>> <deepti.s.sharma@ericsson.com
> > .INVALID>
> > >> a écrit :
> > >>>
> > >>> Hello Team,
> > >>>
> > >>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
> > >>> (Critical),
> > can
> > >> you please confirm, when we have ActiveMQ all, version release
> > >> which has this vulnerability fix and has Log4J version 2.17?
> > >>>
> > >>>
> > >>>
> > >>> Regards,
> > >>> Deepti Sharma
> > >>> PMP(r) & ITIL
> > >>>
> > >>>
> > >>
> > >>
> >
> >
>
>
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Justin Bertram <jb...@apache.org>.
> Does Active MQ all (//
https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
implementation 'org.apache.activemq:activemq-all:5.16.3') is same as Active
MQ Classic?
I don't understand the question. What exactly are you asking here?
> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
This question has *already* been answered on this thread (and many other
places on this mailing list).
Justin
On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S
<de...@ericsson.com.invalid> wrote:
> Hello All,
>
> 2 questions:
> Does Active MQ all (//
> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
> Active MQ Classic?
> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Sunday, January 9, 2022 1:29 AM
> To: users@activemq.apache.org
> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
>
> For what it's worth, it's already noted on the index page as well as the
> "News" page as well as noted in multiple emails on both the users and dev
> mailing lists. Even searches for "activemq CVE-2021-44228" on DuckDuckGo,
> Google, or Bing provide the relevant information in the first few results.
> In my opinion if folks aren't finding the information it's because they
> aren't looking. There's always going to be folks like that unfortunately.
>
>
> Justin
>
>
> On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
> wrote:
>
> > Hi Tim,
> >
> > Good idea, I think it would be helpful to have it directly on index
> > page and contact yeah.
> >
> > I can do the change if everyone agree.
> >
> > Thanks !
> >
> > Regards
> > JB
> >
> > > Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
> > >
> > > JB, should we put that link somewhere prominent on
> > > https://activemq.apache.org/contact for a few months? I believe all
> > > the users who posted questions about the CVE were first-time posters
> > > who
> > likely
> > > went to that page before posting questions, so we might be able to
> > > save everyone the time and frustration by heading off the question for
> folks.
> > >
> > > Tim
> > >
> > > On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
> > wrote:
> > >
> > >> Hi,
> > >>
> > >> Again, a new time:
> > >>
> > >> https://activemq.apache.org/news/cve-2021-44228
> > >>
> > >> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE because
> > >> they are using log4j 1.x
> > >>
> > >> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
> > >>
> > >> Regards
> > >> JB
> > >>
> > >>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
> > >>> <deepti.s.sharma@ericsson.com
> > .INVALID>
> > >> a écrit :
> > >>>
> > >>> Hello Team,
> > >>>
> > >>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
> > >>> (Critical),
> > can
> > >> you please confirm, when we have ActiveMQ all, version release
> > >> which has this vulnerability fix and has Log4J version 2.17?
> > >>>
> > >>>
> > >>>
> > >>> Regards,
> > >>> Deepti Sharma
> > >>> PMP(r) & ITIL
> > >>>
> > >>>
> > >>
> > >>
> >
> >
>
>
RE: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Deepti Sharma S <de...@ericsson.com.INVALID>.
Hello All,
2 questions:
Does Active MQ all (// https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
implementation 'org.apache.activemq:activemq-all:5.16.3') is same as Active MQ Classic?
When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
Regards,
Deepti Sharma
PMP® & ITIL
-----Original Message-----
From: Justin Bertram <jb...@apache.org>
Sent: Sunday, January 9, 2022 1:29 AM
To: users@activemq.apache.org
Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
For what it's worth, it's already noted on the index page as well as the "News" page as well as noted in multiple emails on both the users and dev mailing lists. Even searches for "activemq CVE-2021-44228" on DuckDuckGo, Google, or Bing provide the relevant information in the first few results.
In my opinion if folks aren't finding the information it's because they aren't looking. There's always going to be folks like that unfortunately.
Justin
On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
wrote:
> Hi Tim,
>
> Good idea, I think it would be helpful to have it directly on index
> page and contact yeah.
>
> I can do the change if everyone agree.
>
> Thanks !
>
> Regards
> JB
>
> > Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
> >
> > JB, should we put that link somewhere prominent on
> > https://activemq.apache.org/contact for a few months? I believe all
> > the users who posted questions about the CVE were first-time posters
> > who
> likely
> > went to that page before posting questions, so we might be able to
> > save everyone the time and frustration by heading off the question for folks.
> >
> > Tim
> >
> > On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
> wrote:
> >
> >> Hi,
> >>
> >> Again, a new time:
> >>
> >> https://activemq.apache.org/news/cve-2021-44228
> >>
> >> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE because
> >> they are using log4j 1.x
> >>
> >> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
> >>
> >> Regards
> >> JB
> >>
> >>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
> >>> <deepti.s.sharma@ericsson.com
> .INVALID>
> >> a écrit :
> >>>
> >>> Hello Team,
> >>>
> >>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
> >>> (Critical),
> can
> >> you please confirm, when we have ActiveMQ all, version release
> >> which has this vulnerability fix and has Log4J version 2.17?
> >>>
> >>>
> >>>
> >>> Regards,
> >>> Deepti Sharma
> >>> PMP(r) & ITIL
> >>>
> >>>
> >>
> >>
>
>
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Justin Bertram <jb...@apache.org>.
For what it's worth, it's already noted on the index page as well as the
"News" page as well as noted in multiple emails on both the users and dev
mailing lists. Even searches for "activemq CVE-2021-44228" on DuckDuckGo,
Google, or Bing provide the relevant information in the first few results.
In my opinion if folks aren't finding the information it's because they
aren't looking. There's always going to be folks like that unfortunately.
Justin
On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
wrote:
> Hi Tim,
>
> Good idea, I think it would be helpful to have it directly on index page
> and contact yeah.
>
> I can do the change if everyone agree.
>
> Thanks !
>
> Regards
> JB
>
> > Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
> >
> > JB, should we put that link somewhere prominent on
> > https://activemq.apache.org/contact for a few months? I believe all the
> > users who posted questions about the CVE were first-time posters who
> likely
> > went to that page before posting questions, so we might be able to save
> > everyone the time and frustration by heading off the question for folks.
> >
> > Tim
> >
> > On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre <jb...@nanthrax.net>
> wrote:
> >
> >> Hi,
> >>
> >> Again, a new time:
> >>
> >> https://activemq.apache.org/news/cve-2021-44228
> >>
> >> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE because they
> >> are using log4j 1.x
> >>
> >> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
> >>
> >> Regards
> >> JB
> >>
> >>> Le 8 janv. 2022 à 11:35, Deepti Sharma S <deepti.s.sharma@ericsson.com
> .INVALID>
> >> a écrit :
> >>>
> >>> Hello Team,
> >>>
> >>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical),
> can
> >> you please confirm, when we have ActiveMQ all, version release which has
> >> this vulnerability fix and has Log4J version 2.17?
> >>>
> >>>
> >>>
> >>> Regards,
> >>> Deepti Sharma
> >>> PMP(r) & ITIL
> >>>
> >>>
> >>
> >>
>
>
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Jean-Baptiste Onofre <jb...@nanthrax.net>.
Hi Tim,
Good idea, I think it would be helpful to have it directly on index page and contact yeah.
I can do the change if everyone agree.
Thanks !
Regards
JB
> Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
>
> JB, should we put that link somewhere prominent on
> https://activemq.apache.org/contact for a few months? I believe all the
> users who posted questions about the CVE were first-time posters who likely
> went to that page before posting questions, so we might be able to save
> everyone the time and frustration by heading off the question for folks.
>
> Tim
>
> On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre <jb...@nanthrax.net> wrote:
>
>> Hi,
>>
>> Again, a new time:
>>
>> https://activemq.apache.org/news/cve-2021-44228
>>
>> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE because they
>> are using log4j 1.x
>>
>> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
>>
>> Regards
>> JB
>>
>>> Le 8 janv. 2022 à 11:35, Deepti Sharma S <de...@ericsson.com.INVALID>
>> a écrit :
>>>
>>> Hello Team,
>>>
>>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical), can
>> you please confirm, when we have ActiveMQ all, version release which has
>> this vulnerability fix and has Log4J version 2.17?
>>>
>>>
>>>
>>> Regards,
>>> Deepti Sharma
>>> PMP(r) & ITIL
>>>
>>>
>>
>>
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Tim Bain <tb...@alumni.duke.edu>.
JB, should we put that link somewhere prominent on
https://activemq.apache.org/contact for a few months? I believe all the
users who posted questions about the CVE were first-time posters who likely
went to that page before posting questions, so we might be able to save
everyone the time and frustration by heading off the question for folks.
Tim
On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre <jb...@nanthrax.net> wrote:
> Hi,
>
> Again, a new time:
>
> https://activemq.apache.org/news/cve-2021-44228
>
> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE because they
> are using log4j 1.x
>
> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
>
> Regards
> JB
>
> > Le 8 janv. 2022 à 11:35, Deepti Sharma S <de...@ericsson.com.INVALID>
> a écrit :
> >
> > Hello Team,
> >
> > As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical), can
> you please confirm, when we have ActiveMQ all, version release which has
> this vulnerability fix and has Log4J version 2.17?
> >
> >
> >
> > Regards,
> > Deepti Sharma
> > PMP(r) & ITIL
> >
> >
>
>
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Jean-Baptiste Onofre <jb...@nanthrax.net>.
Hi,
Again, a new time:
https://activemq.apache.org/news/cve-2021-44228
AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE because they are using log4j 1.x
ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
Regards
JB
> Le 8 janv. 2022 à 11:35, Deepti Sharma S <de...@ericsson.com.INVALID> a écrit :
>
> Hello Team,
>
> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical), can you please confirm, when we have ActiveMQ all, version release which has this vulnerability fix and has Log4J version 2.17?
>
>
>
> Regards,
> Deepti Sharma
> PMP(r) & ITIL
>
>
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by "Tetreault, Lucas" <te...@amazon.com.INVALID>.
Woops, my mailbox was out of sync and I didn't see all the responses. Sorry for the noise!
On 2022-01-08, 9:24 PM, "Tetreault, Lucas" <te...@amazon.com.INVALID> wrote:
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
Hi Deepti,
There is some information on the website that should answer all your questions: https://activemq.apache.org/news/cve-2021-44228.
- Lucas
On 2022-01-08, 2:38 AM, "Deepti Sharma S" <de...@ericsson.com.INVALID> wrote:
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
Hello Team,
As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical), can you please confirm, when we have ActiveMQ all, version release which has this vulnerability fix and has Log4J version 2.17?
Regards,
Deepti Sharma
PMP(r) & ITIL
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by "Tetreault, Lucas" <te...@amazon.com.INVALID>.
Hi Deepti,
There is some information on the website that should answer all your questions: https://activemq.apache.org/news/cve-2021-44228.
- Lucas
On 2022-01-08, 2:38 AM, "Deepti Sharma S" <de...@ericsson.com.INVALID> wrote:
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
Hello Team,
As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0 (Critical), can you please confirm, when we have ActiveMQ all, version release which has this vulnerability fix and has Log4J version 2.17?
Regards,
Deepti Sharma
PMP(r) & ITIL