You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by "Gunawan, Rahman (GSFC-703.H)[BUSINESS INTEGRA, INC.]" <ra...@nasa.gov.INVALID> on 2021/12/15 20:47:48 UTC
RE: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
I couldn't find ActiveMQ 5.17.x in https://activemq.apache.org/download-archives. Could you please let me know where I can download ActiveMQ 5.17?
Thanks
Regards,
Rahman
-----Original Message-----
From: Jean-Baptiste Onofré <jb...@nanthrax.net>
Sent: Monday, December 13, 2021 4:50 AM
To: users@activemq.apache.org
Subject: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
Hi,
I was about to send a message to the mailing list to give an update.
1. ActiveMQ is now using log4j 1.2.x, so, it's not impacted by the CVE 2021-44228. The other mentioned CVE only affects users using JMS appender, which is pretty rare.
2. ActiveMQ 5.17.x (main) will use log4j2, I have a PR about that. I'm updating to log4j 2.0.15 in this PR, addressing the CVE.
Regards
JB
On 13/12/2021 09:59, Lionel Cons wrote:
> Recently, a new critical vulnerability has been published for log4j: CVE-2021-44228.
>
> I've read different things from different sources.
>
> According to Red Hat (https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0 <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0>): "This issue only affects log4j versions between 2.0 and 2.14.1".
>
> According to GitHub (https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0 <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0>): "Any Log4J version prior to v2.15.0 is affected to this specific issue." and, more explicitly, " The v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.15.0 where possible.".
>
> It seems that ActiveMQ 5.16 uses log4j 1.2.17.
>
> Could we please get an official statement about ActiveMQ's security wrt log4j?
>
> Thanks!
>
> Lionel
>
Re: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
Posted by Justin Bertram <jb...@apache.org>.
ActiveMQ 5.17.0 has not been released yet which is why you can't find it on
the website to download. Note that the website [1] refers to 5.17.0 as
"upcoming."
Justin
[1] https://activemq.apache.org/news/cve-2021-44228
On Wed, Dec 15, 2021 at 2:48 PM Gunawan, Rahman (GSFC-703.H)[BUSINESS
INTEGRA, INC.] <ra...@nasa.gov.invalid> wrote:
> I couldn't find ActiveMQ 5.17.x in
> https://activemq.apache.org/download-archives. Could you please let me
> know where I can download ActiveMQ 5.17?
>
> Thanks
>
> Regards,
> Rahman
>
> -----Original Message-----
> From: Jean-Baptiste Onofré <jb...@nanthrax.net>
> Sent: Monday, December 13, 2021 4:50 AM
> To: users@activemq.apache.org
> Subject: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
>
> Hi,
>
> I was about to send a message to the mailing list to give an update.
>
> 1. ActiveMQ is now using log4j 1.2.x, so, it's not impacted by the CVE
> 2021-44228. The other mentioned CVE only affects users using JMS appender,
> which is pretty rare.
> 2. ActiveMQ 5.17.x (main) will use log4j2, I have a PR about that. I'm
> updating to log4j 2.0.15 in this PR, addressing the CVE.
>
> Regards
> JB
>
> On 13/12/2021 09:59, Lionel Cons wrote:
> > Recently, a new critical vulnerability has been published for log4j:
> CVE-2021-44228.
> >
> > I've read different things from different sources.
> >
> > According to Red Hat (
> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0
> <
> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0>):
> "This issue only affects log4j versions between 2.0 and 2.14.1".
> >
> > According to GitHub (
> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0
> <
> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0>):
> "Any Log4J version prior to v2.15.0 is affected to this specific issue."
> and, more explicitly, " The v1 branch of Log4J which is considered End Of
> Life (EOL) is vulnerable to other RCE vectors so the recommendation is to
> still update to 2.15.0 where possible.".
> >
> > It seems that ActiveMQ 5.16 uses log4j 1.2.17.
> >
> > Could we please get an official statement about ActiveMQ's security wrt
> log4j?
> >
> > Thanks!
> >
> > Lionel
> >
>
>
Re: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi,
Maybe I missed your message: 5.17.0 has not been released yet, it's
planned for Jan.
As reminder 5.16.x and 5.15.x are not impacted as they use log4j 1.x.
Regards
JB
On Wed, Dec 15, 2021 at 9:47 PM Gunawan, Rahman (GSFC-703.H)[BUSINESS
INTEGRA, INC.] <ra...@nasa.gov.invalid> wrote:
>
> I couldn't find ActiveMQ 5.17.x in https://activemq.apache.org/download-archives. Could you please let me know where I can download ActiveMQ 5.17?
>
> Thanks
>
> Regards,
> Rahman
>
> -----Original Message-----
> From: Jean-Baptiste Onofré <jb...@nanthrax.net>
> Sent: Monday, December 13, 2021 4:50 AM
> To: users@activemq.apache.org
> Subject: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
>
> Hi,
>
> I was about to send a message to the mailing list to give an update.
>
> 1. ActiveMQ is now using log4j 1.2.x, so, it's not impacted by the CVE 2021-44228. The other mentioned CVE only affects users using JMS appender, which is pretty rare.
> 2. ActiveMQ 5.17.x (main) will use log4j2, I have a PR about that. I'm updating to log4j 2.0.15 in this PR, addressing the CVE.
>
> Regards
> JB
>
> On 13/12/2021 09:59, Lionel Cons wrote:
> > Recently, a new critical vulnerability has been published for log4j: CVE-2021-44228.
> >
> > I've read different things from different sources.
> >
> > According to Red Hat (https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0 <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0>): "This issue only affects log4j versions between 2.0 and 2.14.1".
> >
> > According to GitHub (https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0 <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0>): "Any Log4J version prior to v2.15.0 is affected to this specific issue." and, more explicitly, " The v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.15.0 where possible.".
> >
> > It seems that ActiveMQ 5.16 uses log4j 1.2.17.
> >
> > Could we please get an official statement about ActiveMQ's security wrt log4j?
> >
> > Thanks!
> >
> > Lionel
> >