You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Jean-Baptiste Onofré (Jira)" <ji...@apache.org> on 2022/01/08 06:36:00 UTC

[jira] [Resolved] (AMQ-8449) apache-activemq-5.16.3 - How to upgrade Log4j-1.2.17.1 to Log4J 2.x to fix log4j related security issue

     [ https://issues.apache.org/jira/browse/AMQ-8449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jean-Baptiste Onofré resolved AMQ-8449.
---------------------------------------
    Resolution: Invalid

# log4j 2 (2.17.1) update is planned for ActiveMQ 5.17.x
 # ActiveMQ 5.15/5.16 are NOT impacted by log4shell vulnerability as they are using log4j 1.x

> apache-activemq-5.16.3 - How to upgrade Log4j-1.2.17.1 to Log4J 2.x to fix log4j related security issue
> -------------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-8449
>                 URL: https://issues.apache.org/jira/browse/AMQ-8449
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: AMQP
>    Affects Versions: 5.16.3
>         Environment: log4j-1.2.17.1.jar file exists in "apache-activemq-5.16.3\lib\optional" folder which was flagged by security team for vulnerability issue...
> Please advice how to upgrade this to the latest log4j 2.x to fix vulnerability issues.
>            Reporter: Srinivasa Yadlapalli
>            Priority: Critical
>
> log4j-1.2.17.1.jar file exists in "apache-activemq-5.16.3\lib\optional" folder which was flagged by security team for vulnerability issue...
> Please advice how to upgrade this to the latest log4j 2.x to fix vulnerability issues.
> The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to Deserialization of Untrusted Data. The configureHierarchy and genericHierarchy methods in SocketServer.class do not verify if the file at a given file path contains any untrusted objects prior to deserializing them. A remote attacker can exploit this vulnerability by providing a path to crafted files, which result in arbitrary code execution when deserialized. 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)