You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2021/12/15 21:03:00 UTC
[jira] [Comment Edited] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571
[ https://issues.apache.org/jira/browse/AMQ-7370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460247#comment-17460247 ]
Justin Bertram edited comment on AMQ-7370 at 12/15/21, 9:02 PM:
----------------------------------------------------------------
[~stappe], no. The move to Log4j 2.x was moved to 5.17.0 which has not yet been released. See AMQ-7426.
was (Author: jbertram):
[~stappe], no. The move to Log4j 2.x was moved to 5.17.0 which has not yet been released.
> log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571
> -------------------------------------------------------------------------------
>
> Key: AMQ-7370
> URL: https://issues.apache.org/jira/browse/AMQ-7370
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.15.10, 5.15.11
> Reporter: Abhijit Rajwade
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> Sonatype Nexus auditor is reporting following log4j related security issue on Apache ActiveMQ 5.15.10 and 5.15.11. Recommendation is to use org.apache.logging.log4j:log4j-core version(s) 2.8.2 and above. Can you please check if Apache ActiveMQ is vulnerable and if so upgrade based on the recommendation?
> Description from CVE
> Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
> Explanation
> The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to Deserialization of Untrusted Data. The configureHierarchy and genericHierarchy methods in SocketServer.class do not verify if the file at a given file path contains any untrusted objects prior to deserializing them. A remote attacker can exploit this vulnerability by providing a path to crafted files, which result in arbitrary code execution when deserialized.
> NOTE: Starting with version(s) 2.x, log4j:log4j was relocated to org.apache.logging.log4j:log4j-core. A variation of this vulnerability exists in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions up to but excluding 2.8.2.
> Detection
> The application is vulnerable by using this component.
> Recommendation
> Starting with version(s) 2.x, log4j:log4j was relocated to org.apache.logging.log4j:log4j-core. A variation of this vulnerability exists in org.apache.logging.log4j:log4j-core as CVE-2017-5645, in versions up to but excluding 2.8.2. Therefore, it is recommended to upgrade to org.apache.logging.log4j:log4j-core version(s) 2.8.2 and above. For log4j:log4j 1.x versions however, a fix does not exist.
> Root Cause
> activemq-all-5.15.10.jar <= org/apache/log4j/net/SocketServer.class : (,)
> Advisories
> Project: https://issues.apache.org/jira/browse/LOG4J2-1863
> Project: https://lists.apache.org/thread.html/84cc4266238e057b95eb95d…
> Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1785616
> CVSS Details
> Sonatype CVSS 3: 9.8
> CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
--
This message was sent by Atlassian Jira
(v8.20.1#820001)