Re: Call for action - vulnerability (CVE-2021-44228,CVE-2019-17571) - Active MQ classic

[Justin Bertram <jb...@apache.org>]

> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use
Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as
Log4j 1.2.17 has not been maintained since August 2015.

The "official statement" [1] that you reference is only dealing with
CVE-2021-44228. It's not a general statement about all the security
vulnerabilities in Log4j 1.2.17. It remains a fact that Log4j 1.2.17 is not
impacted by CVE-2021-44228.

> Here an existing security vulnerability, (CVE-2019-17571) is not fixed
with the note "Users are urged to upgrade to Log4j 2".

Regarding CVE-2019-17571 you can read more on this Jira [2]. In short, as
noted by Jean-Baptiste Onofré, "ActiveMQ is not affected as it doesn't use
the SocketServer. However, I think it makes sense to update/support
log4j2..." AMQ-7426 [3] was later created to track the work to upgrade to
Log4j 2.

> This situation will not be accepted by a number of large customers, which
demand a timely exchange of this component to the officially released new
Log4j version 2.

Since you've sent this email to the public Apache ActiveMQ mailing lists
you're dealing with "community support" as described on the ActiveMQ
website [4]. As noted, this support is provided on a volunteer basis.
Furthermore, in the spirit of open-source, all community members are
encouraged (although certainly not required) to get involved. As noted in a
recent position paper [5] from the Apache Software Foundation, "Community
is defined by those who show up and do the work." I would strongly
encourage your organization, as an "intensive user of the Apache
technology," to avail itself of *all* the benefits of open source. With
your help to "do the work" this issue could potentially have been resolved
long ago.

> Therefore we ask you kindly to name and communicate an official release
date for ActiveMQ 5.17.0 (including the Log4j version 2).

Given the volunteer nature of community support and how open-source works
at Apache I'm not sure "an official release date" can be provided, at least
not like you'd expect from a commercial software vendor. As noted on the
users mailing list as well as the Log4j 2 upgrade PR [6] (linked from the
aforementioned statement about CVE-2021-44228 [1]), the current plan is to
put a release up for vote at the end of January. All community members can
vote on the release for 3 days, and if the vote passes then the release
should be done in early February.

I hope that helps!


Justin

[1] https://activemq.apache.org/news/cve-2021-44228
[2] https://issues.apache.org/jira/browse/AMQ-7370
[3] https://issues.apache.org/jira/browse/AMQ-7426
[4] https://activemq.apache.org/support
[5] https://cwiki.apache.org/confluence/display/COMDEV/Position+Paper
[6] https://github.com/apache/activemq/pull/662

On Thu, Jan 13, 2022 at 2:09 PM Knöringer, Ralf
<ra...@atos.net.invalid> wrote:

> To whom it may concern,
>
>
>
> as a intensive user of the Apache technology in our enterprise
> architecture and product portfolio I may draw your attention to a critical
> issue.
>
> Based on the known vulnerability CVE-2021-44228 in the Log4j Version 2
> many of our large enterprise customers (e.g. Volkswagen Financial Services)
> are becoming very sensitive for the risk of using software elements not
> under maintenance.
>
>
>
> Unfortunately we have this situation with the message broker ActiveMQ
> "Classic" (the latest versions 5.15.15 and 5.16.3) as there is an embedded
> use of the Log4j version 1.2.17.
>
>
>
> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use
> Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as
> Log4j 1.2.17 has not been maintained since August 2015.
>
> (Here an existing security vulnerability, (CVE-2019-17571) is not fixed
> with the note "Users are urged to upgrade to Log4j 2".)
>
>
>
> This situation will not be accepted by a number of large customers, which
> demand a timely exchange of this component to the officially released new
> Log4j version 2.
>
> Therefore we ask you kindly to name and communicate an official release
> date for ActiveMQ 5.17.0 (including the Log4j version 2).
>
>
>
> A timely answer is really appreciated as we think this could mitigate
> negative responses and create a positive feedback from the market.
>
>
>
> Best regards
>
> Ralf Knöringer
> Senior Manager
> Big Data & Cybersecurity - IAM
> M: +49 172 5229705
> Otto-Hahn-Ring 6, 81739 Munich - Germany
> atos.net<https://atos.net/>
>
> Atos Information Technology GmbH; Geschäftsführung: Udo Littke, Boris
> Hecker; Vorsitzender des Aufsichtsrats: N.N.; Sitz der Gesellschaft:
> München; Registergericht: Amtsgericht München, HRB 235509
> Atos Information Technology GmbH; Managing Directors: Udo Littke, Boris
> Hecker; Chairman of the Supervisory Board: N.N.; Registered office: Munich;
> Commercial register of the local court of Munich, HRB 235509
> Important notice: This e-mail and any attachment thereof contain corporate
> proprietary information. If you have received it by mistake, please notify
> us immediately by reply e-mail and delete this e-mail and its attachments
> from your system. Thank you.
>
>

Re: [External:] Re: Call for action - vulnerability (CVE-2021-44228,CVE-2019-17571) - Active MQ classic

[Jean-Baptiste Onofré <jb...@nanthrax.net>]

It has been already shared maybe ten times on the mailing list: vote end 
of Jan for a release in Feb

Regards
JB

On 13/01/2022 23:57, Yadlapalli, Srinivasa Rao wrote:
> Thank you
> do you guys know the release date for 5.17. 0
> 
> 
> Thank you,
> Srinivas
> 
>> On Jan 13, 2022, at 4:07 PM, JB Onofré <jb...@nanthrax.net> wrote:
>>
>> Hi
>>
>> Big thank to Justin for the complete answer. Nothing to add, just again thanks to Justin ;)
>>
>> And yes log4j2 upgrade PR will be ok soon, towards 5.17.0 vote.
>>
>> Regards
>> JB
>>
>>> Le 13 janv. 2022 à 21:59, Justin Bertram <jb...@apache.org> a écrit :
>>>
>>> 
>>>>
>>>> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use
>>> Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as
>>> Log4j 1.2.17 has not been maintained since August 2015.
>>>
>>> The "official statement" [1] that you reference is only dealing with
>>> CVE-2021-44228. It's not a general statement about all the security
>>> vulnerabilities in Log4j 1.2.17. It remains a fact that Log4j 1.2.17 is not
>>> impacted by CVE-2021-44228.
>>>
>>>> Here an existing security vulnerability, (CVE-2019-17571) is not fixed
>>> with the note "Users are urged to upgrade to Log4j 2".
>>>
>>> Regarding CVE-2019-17571 you can read more on this Jira [2]. In short, as
>>> noted by Jean-Baptiste Onofré, "ActiveMQ is not affected as it doesn't use
>>> the SocketServer. However, I think it makes sense to update/support
>>> log4j2..." AMQ-7426 [3] was later created to track the work to upgrade to
>>> Log4j 2.
>>>
>>>> This situation will not be accepted by a number of large customers, which
>>> demand a timely exchange of this component to the officially released new
>>> Log4j version 2.
>>>
>>> Since you've sent this email to the public Apache ActiveMQ mailing lists
>>> you're dealing with "community support" as described on the ActiveMQ
>>> website [4]. As noted, this support is provided on a volunteer basis.
>>> Furthermore, in the spirit of open-source, all community members are
>>> encouraged (although certainly not required) to get involved. As noted in a
>>> recent position paper [5] from the Apache Software Foundation, "Community
>>> is defined by those who show up and do the work." I would strongly
>>> encourage your organization, as an "intensive user of the Apache
>>> technology," to avail itself of *all* the benefits of open source. With
>>> your help to "do the work" this issue could potentially have been resolved
>>> long ago.
>>>
>>>> Therefore we ask you kindly to name and communicate an official release
>>> date for ActiveMQ 5.17.0 (including the Log4j version 2).
>>>
>>> Given the volunteer nature of community support and how open-source works
>>> at Apache I'm not sure "an official release date" can be provided, at least
>>> not like you'd expect from a commercial software vendor. As noted on the
>>> users mailing list as well as the Log4j 2 upgrade PR [6] (linked from the
>>> aforementioned statement about CVE-2021-44228 [1]), the current plan is to
>>> put a release up for vote at the end of January. All community members can
>>> vote on the release for 3 days, and if the vote passes then the release
>>> should be done in early February.
>>>
>>> I hope that helps!
>>>
>>>
>>> Justin
>>>
>>> [1] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fnews%2Fcve-2021-44228&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=rZkJxGXjs7meMH5GSzJz6ZN1Oi53EmNKlIscwq6i8fk%3D&amp;reserved=0
>>> [2] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-7370&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=zMMYglkEXIVUjPnVNS3kOg5jQduGYxomNQLq7oAyBG0%3D&amp;reserved=0
>>> [3] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-7426&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=V2uyuVr5R9seRSNtBWZOk%2FV0kHIDepyBb40rz011bt4%3D&amp;reserved=0
>>> [4] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fsupport&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=VoDvAtJTBHVmlXYphArUvZIcSZ8Xdq12q5imGNFVbfo%3D&amp;reserved=0
>>> [5] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FCOMDEV%2FPosition%2BPaper&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=1HOGj6V73OYfLTBfJ2Caem0z7C4plffcUyqY%2BSyFYVY%3D&amp;reserved=0
>>> [6] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Factivemq%2Fpull%2F662&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=SdzLA7sNUxMEG30OAxcOIAv3Cqvob%2FJuAldi1zDOCd0%3D&amp;reserved=0
>>>
>>>> On Thu, Jan 13, 2022 at 2:09 PM Knöringer, Ralf
>>>> <ra...@atos.net.invalid> wrote:
>>>>
>>>> To whom it may concern,
>>>>
>>>>
>>>>
>>>> as a intensive user of the Apache technology in our enterprise
>>>> architecture and product portfolio I may draw your attention to a critical
>>>> issue.
>>>>
>>>> Based on the known vulnerability CVE-2021-44228 in the Log4j Version 2
>>>> many of our large enterprise customers (e.g. Volkswagen Financial Services)
>>>> are becoming very sensitive for the risk of using software elements not
>>>> under maintenance.
>>>>
>>>>
>>>>
>>>> Unfortunately we have this situation with the message broker ActiveMQ
>>>> "Classic" (the latest versions 5.15.15 and 5.16.3) as there is an embedded
>>>> use of the Log4j version 1.2.17.
>>>>
>>>>
>>>>
>>>> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use
>>>> Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as
>>>> Log4j 1.2.17 has not been maintained since August 2015.
>>>>
>>>> (Here an existing security vulnerability, (CVE-2019-17571) is not fixed
>>>> with the note "Users are urged to upgrade to Log4j 2".)
>>>>
>>>>
>>>>
>>>> This situation will not be accepted by a number of large customers, which
>>>> demand a timely exchange of this component to the officially released new
>>>> Log4j version 2.
>>>>
>>>> Therefore we ask you kindly to name and communicate an official release
>>>> date for ActiveMQ 5.17.0 (including the Log4j version 2).
>>>>
>>>>
>>>>
>>>> A timely answer is really appreciated as we think this could mitigate
>>>> negative responses and create a positive feedback from the market.
>>>>
>>>>
>>>>
>>>> Best regards
>>>>
>>>> Ralf Knöringer
>>>> Senior Manager
>>>> Big Data & Cybersecurity - IAM
>>>> M: +49 172 5229705
>>>> Otto-Hahn-Ring 6, 81739 Munich - Germany
>>>> atos.net<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fatos.net%2F&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=0C8iJ5tVA7067tITv0IprSx7mhbRpYqamSJ0NCDWHgg%3D&amp;reserved=0>
>>>>
>>>> Atos Information Technology GmbH; Geschäftsführung: Udo Littke, Boris
>>>> Hecker; Vorsitzender des Aufsichtsrats: N.N.; Sitz der Gesellschaft:
>>>> München; Registergericht: Amtsgericht München, HRB 235509
>>>> Atos Information Technology GmbH; Managing Directors: Udo Littke, Boris
>>>> Hecker; Chairman of the Supervisory Board: N.N.; Registered office: Munich;
>>>> Commercial register of the local court of Munich, HRB 235509
>>>> Important notice: This e-mail and any attachment thereof contain corporate
>>>> proprietary information. If you have received it by mistake, please notify
>>>> us immediately by reply e-mail and delete this e-mail and its attachments
>>>> from your system. Thank you.
>>>>
>>>>
>>
> 
> 
> Srinivasa Rao Yadlapalli
> Align | www.align.com
> Follow Align on Social Media! | LinkedIn<https://www.linkedin.com/company/162371/> | Twitter<https://twitter.com/alignitadvisor> | Instagram<https://www.instagram.com/alignitadvisor/> |
> The premier global provider of technology infrastructure solutions
> 55 Broad Street, 6th Floor | New York, NY 10004
> Desk +1 212-844-4021
> ________________________________
> 
> ________________________________
> 
> 
> The information contained in this message is confidential and is intended only for the use of the individual or entity named above. It may contain proprietary or legally privileged information. Mistransmission shall not constitute a waiver of any rights or privileges. If you are not the designated recipient of this message, you are hereby notified that any use, dissemination, distribution or reproduction of this message is strictly prohibited. If you have received this message in error, please immediately notify the sender. Although this e-mail and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that they are virus-free. Align Communications Inc. does not accept, and specifically disclaims, any liability or obligation for any loss or damage arising in any way from the use of this e-mail or any attachment. Thank You
> 

Re: [External:] Re: Call for action - vulnerability (CVE-2021-44228,CVE-2019-17571) - Active MQ classic

[Justin Bertram <jb...@apache.org>]

> do you guys know the release date for 5.17. 0

See my previous message on this thread.


Justin

On Thu, Jan 13, 2022 at 4:58 PM Yadlapalli, Srinivasa Rao <
syadlapalli@align.com> wrote:

> Thank you
> do you guys know the release date for 5.17. 0
>
>
> Thank you,
> Srinivas
>
> > On Jan 13, 2022, at 4:07 PM, JB Onofré <jb...@nanthrax.net> wrote:
> >
> > Hi
> >
> > Big thank to Justin for the complete answer. Nothing to add, just again
> thanks to Justin ;)
> >
> > And yes log4j2 upgrade PR will be ok soon, towards 5.17.0 vote.
> >
> > Regards
> > JB
> >
> >> Le 13 janv. 2022 à 21:59, Justin Bertram <jb...@apache.org> a écrit
> :
> >>
> >> 
> >>>
> >>> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3)
> use
> >> Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted,
> as
> >> Log4j 1.2.17 has not been maintained since August 2015.
> >>
> >> The "official statement" [1] that you reference is only dealing with
> >> CVE-2021-44228. It's not a general statement about all the security
> >> vulnerabilities in Log4j 1.2.17. It remains a fact that Log4j 1.2.17 is
> not
> >> impacted by CVE-2021-44228.
> >>
> >>> Here an existing security vulnerability, (CVE-2019-17571) is not fixed
> >> with the note "Users are urged to upgrade to Log4j 2".
> >>
> >> Regarding CVE-2019-17571 you can read more on this Jira [2]. In short,
> as
> >> noted by Jean-Baptiste Onofré, "ActiveMQ is not affected as it doesn't
> use
> >> the SocketServer. However, I think it makes sense to update/support
> >> log4j2..." AMQ-7426 [3] was later created to track the work to upgrade
> to
> >> Log4j 2.
> >>
> >>> This situation will not be accepted by a number of large customers,
> which
> >> demand a timely exchange of this component to the officially released
> new
> >> Log4j version 2.
> >>
> >> Since you've sent this email to the public Apache ActiveMQ mailing lists
> >> you're dealing with "community support" as described on the ActiveMQ
> >> website [4]. As noted, this support is provided on a volunteer basis.
> >> Furthermore, in the spirit of open-source, all community members are
> >> encouraged (although certainly not required) to get involved. As noted
> in a
> >> recent position paper [5] from the Apache Software Foundation,
> "Community
> >> is defined by those who show up and do the work." I would strongly
> >> encourage your organization, as an "intensive user of the Apache
> >> technology," to avail itself of *all* the benefits of open source. With
> >> your help to "do the work" this issue could potentially have been
> resolved
> >> long ago.
> >>
> >>> Therefore we ask you kindly to name and communicate an official release
> >> date for ActiveMQ 5.17.0 (including the Log4j version 2).
> >>
> >> Given the volunteer nature of community support and how open-source
> works
> >> at Apache I'm not sure "an official release date" can be provided, at
> least
> >> not like you'd expect from a commercial software vendor. As noted on the
> >> users mailing list as well as the Log4j 2 upgrade PR [6] (linked from
> the
> >> aforementioned statement about CVE-2021-44228 [1]), the current plan is
> to
> >> put a release up for vote at the end of January. All community members
> can
> >> vote on the release for 3 days, and if the vote passes then the release
> >> should be done in early February.
> >>
> >> I hope that helps!
> >>
> >>
> >> Justin
> >>
> >> [1]
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fnews%2Fcve-2021-44228&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=rZkJxGXjs7meMH5GSzJz6ZN1Oi53EmNKlIscwq6i8fk%3D&amp;reserved=0
> >> [2]
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-7370&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=zMMYglkEXIVUjPnVNS3kOg5jQduGYxomNQLq7oAyBG0%3D&amp;reserved=0
> >> [3]
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-7426&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=V2uyuVr5R9seRSNtBWZOk%2FV0kHIDepyBb40rz011bt4%3D&amp;reserved=0
> >> [4]
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fsupport&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=VoDvAtJTBHVmlXYphArUvZIcSZ8Xdq12q5imGNFVbfo%3D&amp;reserved=0
> >> [5]
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FCOMDEV%2FPosition%2BPaper&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=1HOGj6V73OYfLTBfJ2Caem0z7C4plffcUyqY%2BSyFYVY%3D&amp;reserved=0
> >> [6]
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Factivemq%2Fpull%2F662&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=SdzLA7sNUxMEG30OAxcOIAv3Cqvob%2FJuAldi1zDOCd0%3D&amp;reserved=0
> >>
> >>> On Thu, Jan 13, 2022 at 2:09 PM Knöringer, Ralf
> >>> <ra...@atos.net.invalid> wrote:
> >>>
> >>> To whom it may concern,
> >>>
> >>>
> >>>
> >>> as a intensive user of the Apache technology in our enterprise
> >>> architecture and product portfolio I may draw your attention to a
> critical
> >>> issue.
> >>>
> >>> Based on the known vulnerability CVE-2021-44228 in the Log4j Version 2
> >>> many of our large enterprise customers (e.g. Volkswagen Financial
> Services)
> >>> are becoming very sensitive for the risk of using software elements not
> >>> under maintenance.
> >>>
> >>>
> >>>
> >>> Unfortunately we have this situation with the message broker ActiveMQ
> >>> "Classic" (the latest versions 5.15.15 and 5.16.3) as there is an
> embedded
> >>> use of the Log4j version 1.2.17.
> >>>
> >>>
> >>>
> >>> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3)
> use
> >>> Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted,
> as
> >>> Log4j 1.2.17 has not been maintained since August 2015.
> >>>
> >>> (Here an existing security vulnerability, (CVE-2019-17571) is not fixed
> >>> with the note "Users are urged to upgrade to Log4j 2".)
> >>>
> >>>
> >>>
> >>> This situation will not be accepted by a number of large customers,
> which
> >>> demand a timely exchange of this component to the officially released
> new
> >>> Log4j version 2.
> >>>
> >>> Therefore we ask you kindly to name and communicate an official release
> >>> date for ActiveMQ 5.17.0 (including the Log4j version 2).
> >>>
> >>>
> >>>
> >>> A timely answer is really appreciated as we think this could mitigate
> >>> negative responses and create a positive feedback from the market.
> >>>
> >>>
> >>>
> >>> Best regards
> >>>
> >>> Ralf Knöringer
> >>> Senior Manager
> >>> Big Data & Cybersecurity - IAM
> >>> M: +49 172 5229705
> >>> Otto-Hahn-Ring 6, 81739 Munich - Germany
> >>> atos.net<
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fatos.net%2F&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=0C8iJ5tVA7067tITv0IprSx7mhbRpYqamSJ0NCDWHgg%3D&amp;reserved=0
> >
> >>>
> >>> Atos Information Technology GmbH; Geschäftsführung: Udo Littke, Boris
> >>> Hecker; Vorsitzender des Aufsichtsrats: N.N.; Sitz der Gesellschaft:
> >>> München; Registergericht: Amtsgericht München, HRB 235509
> >>> Atos Information Technology GmbH; Managing Directors: Udo Littke, Boris
> >>> Hecker; Chairman of the Supervisory Board: N.N.; Registered office:
> Munich;
> >>> Commercial register of the local court of Munich, HRB 235509
> >>> Important notice: This e-mail and any attachment thereof contain
> corporate
> >>> proprietary information. If you have received it by mistake, please
> notify
> >>> us immediately by reply e-mail and delete this e-mail and its
> attachments
> >>> from your system. Thank you.
> >>>
> >>>
> >
>
>
> Srinivasa Rao Yadlapalli
> Align | www.align.com
> Follow Align on Social Media! | LinkedIn<
> https://www.linkedin.com/company/162371/> | Twitter<
> https://twitter.com/alignitadvisor> | Instagram<
> https://www.instagram.com/alignitadvisor/> |
> The premier global provider of technology infrastructure solutions
> 55 Broad Street, 6th Floor | New York, NY 10004
> Desk +1 212-844-4021
> ________________________________
>
> ________________________________
>
>
> The information contained in this message is confidential and is intended
> only for the use of the individual or entity named above. It may contain
> proprietary or legally privileged information. Mistransmission shall not
> constitute a waiver of any rights or privileges. If you are not the
> designated recipient of this message, you are hereby notified that any use,
> dissemination, distribution or reproduction of this message is strictly
> prohibited. If you have received this message in error, please immediately
> notify the sender. Although this e-mail and any attachments are believed to
> be free of any virus or other defect that might affect any computer system
> into which it is received and opened, it is the responsibility of the
> recipient to ensure that they are virus-free. Align Communications Inc.
> does not accept, and specifically disclaims, any liability or obligation
> for any loss or damage arising in any way from the use of this e-mail or
> any attachment. Thank You
>

Re: [External:] Re: Call for action - vulnerability (CVE-2021-44228,CVE-2019-17571) - Active MQ classic

["Yadlapalli, Srinivasa Rao" <sy...@align.com>]

Thank you
do you guys know the release date for 5.17. 0


Thank you,
Srinivas

> On Jan 13, 2022, at 4:07 PM, JB Onofré <jb...@nanthrax.net> wrote:
>
> Hi
>
> Big thank to Justin for the complete answer. Nothing to add, just again thanks to Justin ;)
>
> And yes log4j2 upgrade PR will be ok soon, towards 5.17.0 vote.
>
> Regards
> JB
>
>> Le 13 janv. 2022 à 21:59, Justin Bertram <jb...@apache.org> a écrit :
>>
>> 
>>>
>>> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use
>> Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as
>> Log4j 1.2.17 has not been maintained since August 2015.
>>
>> The "official statement" [1] that you reference is only dealing with
>> CVE-2021-44228. It's not a general statement about all the security
>> vulnerabilities in Log4j 1.2.17. It remains a fact that Log4j 1.2.17 is not
>> impacted by CVE-2021-44228.
>>
>>> Here an existing security vulnerability, (CVE-2019-17571) is not fixed
>> with the note "Users are urged to upgrade to Log4j 2".
>>
>> Regarding CVE-2019-17571 you can read more on this Jira [2]. In short, as
>> noted by Jean-Baptiste Onofré, "ActiveMQ is not affected as it doesn't use
>> the SocketServer. However, I think it makes sense to update/support
>> log4j2..." AMQ-7426 [3] was later created to track the work to upgrade to
>> Log4j 2.
>>
>>> This situation will not be accepted by a number of large customers, which
>> demand a timely exchange of this component to the officially released new
>> Log4j version 2.
>>
>> Since you've sent this email to the public Apache ActiveMQ mailing lists
>> you're dealing with "community support" as described on the ActiveMQ
>> website [4]. As noted, this support is provided on a volunteer basis.
>> Furthermore, in the spirit of open-source, all community members are
>> encouraged (although certainly not required) to get involved. As noted in a
>> recent position paper [5] from the Apache Software Foundation, "Community
>> is defined by those who show up and do the work." I would strongly
>> encourage your organization, as an "intensive user of the Apache
>> technology," to avail itself of *all* the benefits of open source. With
>> your help to "do the work" this issue could potentially have been resolved
>> long ago.
>>
>>> Therefore we ask you kindly to name and communicate an official release
>> date for ActiveMQ 5.17.0 (including the Log4j version 2).
>>
>> Given the volunteer nature of community support and how open-source works
>> at Apache I'm not sure "an official release date" can be provided, at least
>> not like you'd expect from a commercial software vendor. As noted on the
>> users mailing list as well as the Log4j 2 upgrade PR [6] (linked from the
>> aforementioned statement about CVE-2021-44228 [1]), the current plan is to
>> put a release up for vote at the end of January. All community members can
>> vote on the release for 3 days, and if the vote passes then the release
>> should be done in early February.
>>
>> I hope that helps!
>>
>>
>> Justin
>>
>> [1] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fnews%2Fcve-2021-44228&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=rZkJxGXjs7meMH5GSzJz6ZN1Oi53EmNKlIscwq6i8fk%3D&amp;reserved=0
>> [2] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-7370&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=zMMYglkEXIVUjPnVNS3kOg5jQduGYxomNQLq7oAyBG0%3D&amp;reserved=0
>> [3] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-7426&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=V2uyuVr5R9seRSNtBWZOk%2FV0kHIDepyBb40rz011bt4%3D&amp;reserved=0
>> [4] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fsupport&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=VoDvAtJTBHVmlXYphArUvZIcSZ8Xdq12q5imGNFVbfo%3D&amp;reserved=0
>> [5] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FCOMDEV%2FPosition%2BPaper&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=1HOGj6V73OYfLTBfJ2Caem0z7C4plffcUyqY%2BSyFYVY%3D&amp;reserved=0
>> [6] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Factivemq%2Fpull%2F662&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=SdzLA7sNUxMEG30OAxcOIAv3Cqvob%2FJuAldi1zDOCd0%3D&amp;reserved=0
>>
>>> On Thu, Jan 13, 2022 at 2:09 PM Knöringer, Ralf
>>> <ra...@atos.net.invalid> wrote:
>>>
>>> To whom it may concern,
>>>
>>>
>>>
>>> as a intensive user of the Apache technology in our enterprise
>>> architecture and product portfolio I may draw your attention to a critical
>>> issue.
>>>
>>> Based on the known vulnerability CVE-2021-44228 in the Log4j Version 2
>>> many of our large enterprise customers (e.g. Volkswagen Financial Services)
>>> are becoming very sensitive for the risk of using software elements not
>>> under maintenance.
>>>
>>>
>>>
>>> Unfortunately we have this situation with the message broker ActiveMQ
>>> "Classic" (the latest versions 5.15.15 and 5.16.3) as there is an embedded
>>> use of the Log4j version 1.2.17.
>>>
>>>
>>>
>>> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use
>>> Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as
>>> Log4j 1.2.17 has not been maintained since August 2015.
>>>
>>> (Here an existing security vulnerability, (CVE-2019-17571) is not fixed
>>> with the note "Users are urged to upgrade to Log4j 2".)
>>>
>>>
>>>
>>> This situation will not be accepted by a number of large customers, which
>>> demand a timely exchange of this component to the officially released new
>>> Log4j version 2.
>>>
>>> Therefore we ask you kindly to name and communicate an official release
>>> date for ActiveMQ 5.17.0 (including the Log4j version 2).
>>>
>>>
>>>
>>> A timely answer is really appreciated as we think this could mitigate
>>> negative responses and create a positive feedback from the market.
>>>
>>>
>>>
>>> Best regards
>>>
>>> Ralf Knöringer
>>> Senior Manager
>>> Big Data & Cybersecurity - IAM
>>> M: +49 172 5229705
>>> Otto-Hahn-Ring 6, 81739 Munich - Germany
>>> atos.net<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fatos.net%2F&amp;data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=0C8iJ5tVA7067tITv0IprSx7mhbRpYqamSJ0NCDWHgg%3D&amp;reserved=0>
>>>
>>> Atos Information Technology GmbH; Geschäftsführung: Udo Littke, Boris
>>> Hecker; Vorsitzender des Aufsichtsrats: N.N.; Sitz der Gesellschaft:
>>> München; Registergericht: Amtsgericht München, HRB 235509
>>> Atos Information Technology GmbH; Managing Directors: Udo Littke, Boris
>>> Hecker; Chairman of the Supervisory Board: N.N.; Registered office: Munich;
>>> Commercial register of the local court of Munich, HRB 235509
>>> Important notice: This e-mail and any attachment thereof contain corporate
>>> proprietary information. If you have received it by mistake, please notify
>>> us immediately by reply e-mail and delete this e-mail and its attachments
>>> from your system. Thank you.
>>>
>>>
>


Srinivasa Rao Yadlapalli
Align | www.align.com
Follow Align on Social Media! | LinkedIn<https://www.linkedin.com/company/162371/> | Twitter<https://twitter.com/alignitadvisor> | Instagram<https://www.instagram.com/alignitadvisor/> |
The premier global provider of technology infrastructure solutions
55 Broad Street, 6th Floor | New York, NY 10004
Desk +1 212-844-4021
________________________________

________________________________


The information contained in this message is confidential and is intended only for the use of the individual or entity named above. It may contain proprietary or legally privileged information. Mistransmission shall not constitute a waiver of any rights or privileges. If you are not the designated recipient of this message, you are hereby notified that any use, dissemination, distribution or reproduction of this message is strictly prohibited. If you have received this message in error, please immediately notify the sender. Although this e-mail and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that they are virus-free. Align Communications Inc. does not accept, and specifically disclaims, any liability or obligation for any loss or damage arising in any way from the use of this e-mail or any attachment. Thank You

Re: Call for action - vulnerability (CVE-2021-44228,CVE-2019-17571) - Active MQ classic

[JB Onofré <jb...@nanthrax.net>]

Hi

Big thank to Justin for the complete answer. Nothing to add, just again thanks to Justin ;)

And yes log4j2 upgrade PR will be ok soon, towards 5.17.0 vote. 

Regards 
JB

> Le 13 janv. 2022 à 21:59, Justin Bertram <jb...@apache.org> a écrit :
> 
> 
>> 
>> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use
> Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as
> Log4j 1.2.17 has not been maintained since August 2015.
> 
> The "official statement" [1] that you reference is only dealing with
> CVE-2021-44228. It's not a general statement about all the security
> vulnerabilities in Log4j 1.2.17. It remains a fact that Log4j 1.2.17 is not
> impacted by CVE-2021-44228.
> 
>> Here an existing security vulnerability, (CVE-2019-17571) is not fixed
> with the note "Users are urged to upgrade to Log4j 2".
> 
> Regarding CVE-2019-17571 you can read more on this Jira [2]. In short, as
> noted by Jean-Baptiste Onofré, "ActiveMQ is not affected as it doesn't use
> the SocketServer. However, I think it makes sense to update/support
> log4j2..." AMQ-7426 [3] was later created to track the work to upgrade to
> Log4j 2.
> 
>> This situation will not be accepted by a number of large customers, which
> demand a timely exchange of this component to the officially released new
> Log4j version 2.
> 
> Since you've sent this email to the public Apache ActiveMQ mailing lists
> you're dealing with "community support" as described on the ActiveMQ
> website [4]. As noted, this support is provided on a volunteer basis.
> Furthermore, in the spirit of open-source, all community members are
> encouraged (although certainly not required) to get involved. As noted in a
> recent position paper [5] from the Apache Software Foundation, "Community
> is defined by those who show up and do the work." I would strongly
> encourage your organization, as an "intensive user of the Apache
> technology," to avail itself of *all* the benefits of open source. With
> your help to "do the work" this issue could potentially have been resolved
> long ago.
> 
>> Therefore we ask you kindly to name and communicate an official release
> date for ActiveMQ 5.17.0 (including the Log4j version 2).
> 
> Given the volunteer nature of community support and how open-source works
> at Apache I'm not sure "an official release date" can be provided, at least
> not like you'd expect from a commercial software vendor. As noted on the
> users mailing list as well as the Log4j 2 upgrade PR [6] (linked from the
> aforementioned statement about CVE-2021-44228 [1]), the current plan is to
> put a release up for vote at the end of January. All community members can
> vote on the release for 3 days, and if the vote passes then the release
> should be done in early February.
> 
> I hope that helps!
> 
> 
> Justin
> 
> [1] https://activemq.apache.org/news/cve-2021-44228
> [2] https://issues.apache.org/jira/browse/AMQ-7370
> [3] https://issues.apache.org/jira/browse/AMQ-7426
> [4] https://activemq.apache.org/support
> [5] https://cwiki.apache.org/confluence/display/COMDEV/Position+Paper
> [6] https://github.com/apache/activemq/pull/662
> 
>> On Thu, Jan 13, 2022 at 2:09 PM Knöringer, Ralf
>> <ra...@atos.net.invalid> wrote:
>> 
>> To whom it may concern,
>> 
>> 
>> 
>> as a intensive user of the Apache technology in our enterprise
>> architecture and product portfolio I may draw your attention to a critical
>> issue.
>> 
>> Based on the known vulnerability CVE-2021-44228 in the Log4j Version 2
>> many of our large enterprise customers (e.g. Volkswagen Financial Services)
>> are becoming very sensitive for the risk of using software elements not
>> under maintenance.
>> 
>> 
>> 
>> Unfortunately we have this situation with the message broker ActiveMQ
>> "Classic" (the latest versions 5.15.15 and 5.16.3) as there is an embedded
>> use of the Log4j version 1.2.17.
>> 
>> 
>> 
>> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use
>> Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as
>> Log4j 1.2.17 has not been maintained since August 2015.
>> 
>> (Here an existing security vulnerability, (CVE-2019-17571) is not fixed
>> with the note "Users are urged to upgrade to Log4j 2".)
>> 
>> 
>> 
>> This situation will not be accepted by a number of large customers, which
>> demand a timely exchange of this component to the officially released new
>> Log4j version 2.
>> 
>> Therefore we ask you kindly to name and communicate an official release
>> date for ActiveMQ 5.17.0 (including the Log4j version 2).
>> 
>> 
>> 
>> A timely answer is really appreciated as we think this could mitigate
>> negative responses and create a positive feedback from the market.
>> 
>> 
>> 
>> Best regards
>> 
>> Ralf Knöringer
>> Senior Manager
>> Big Data & Cybersecurity - IAM
>> M: +49 172 5229705
>> Otto-Hahn-Ring 6, 81739 Munich - Germany
>> atos.net<https://atos.net/>
>> 
>> Atos Information Technology GmbH; Geschäftsführung: Udo Littke, Boris
>> Hecker; Vorsitzender des Aufsichtsrats: N.N.; Sitz der Gesellschaft:
>> München; Registergericht: Amtsgericht München, HRB 235509
>> Atos Information Technology GmbH; Managing Directors: Udo Littke, Boris
>> Hecker; Chairman of the Supervisory Board: N.N.; Registered office: Munich;
>> Commercial register of the local court of Munich, HRB 235509
>> Important notice: This e-mail and any attachment thereof contain corporate
>> proprietary information. If you have received it by mistake, please notify
>> us immediately by reply e-mail and delete this e-mail and its attachments
>> from your system. Thank you.
>> 
>> 

Re: AW: Call for action - vulnerability (CVE-2021-44228,CVE-2019-17571) - Active MQ classic

[Jean-Baptiste Onofré <jb...@nanthrax.net>]

Hi Ralf,

IMHO, there's no uncertainties. It's just up to us to explain and calm 
down any non technical guys who don't understand the issue and the 
mitigation.

People are stressed without any reason (I mean for ActiveMQ), and 
upgrading to 5.17.x just for log4j 2 update doesn't make sense to me.

I'm sure bunch of guys are using bunch of EOL/less maintained components 
(and they don't know it).

Sometime it's hard to be a open source technical guy, you have more 
stress/constraint than reward ;)

Regards
JB

On 14/01/2022 10:48, Knöringer, Ralf wrote:
> Hallo Justin,
> 
> Thank You for the clarification.
> Of course I understand that there is no immediate vulnerability risk.
> Nevertheless the widespread use of the component and the sensitivity of the security community on this issue must not to be underestimated.
> Therefore a timely release of version 5.17 with updated log4j would help to reduce some uncertainties.
> 
> Best Regards
> Ralf
> 
> Von: Justin Bertram <jb...@apache.org>>
> Gesendet: Donnerstag, 13. Januar 2022 21:59
> An: users@activemq.apache.org<ma...@activemq.apache.org>
> Cc: apache@apache.org<ma...@apache.org>; Riechmann, Thomas <th...@atos.net>>; Höck, Ulrich <ul...@atos.net>>
> Betreff: Re: Call for action - vulnerability (CVE-2021-44228,CVE-2019-17571) - Active MQ classic
> 
> 
> Caution! External email. Do not open attachments or click links, unless this email comes from a known sender and you know the content is safe.
>> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as Log4j 1.2.17 has not been maintained since August 2015.
> 
> The "official statement" [1] that you reference is only dealing with CVE-2021-44228. It's not a general statement about all the security vulnerabilities in Log4j 1.2.17. It remains a fact that Log4j 1.2.17 is not impacted by CVE-2021-44228.
> 
>> Here an existing security vulnerability, (CVE-2019-17571) is not fixed with the note "Users are urged to upgrade to Log4j 2".
> 
> Regarding CVE-2019-17571 you can read more on this Jira [2]. In short, as noted by Jean-Baptiste Onofré, "ActiveMQ is not affected as it doesn't use the SocketServer. However, I think it makes sense to update/support log4j2..." AMQ-7426 [3] was later created to track the work to upgrade to Log4j 2.
> 
>> This situation will not be accepted by a number of large customers, which demand a timely exchange of this component to the officially released new Log4j version 2.
> 
> Since you've sent this email to the public Apache ActiveMQ mailing lists you're dealing with "community support" as described on the ActiveMQ website [4]. As noted, this support is provided on a volunteer basis. Furthermore, in the spirit of open-source, all community members are encouraged (although certainly not required) to get involved. As noted in a recent position paper [5] from the Apache Software Foundation, "Community is defined by those who show up and do the work." I would strongly encourage your organization, as an "intensive user of the Apache technology," to avail itself of *all* the benefits of open source. With your help to "do the work" this issue could potentially have been resolved long ago.
> 
>> Therefore we ask you kindly to name and communicate an official release date for ActiveMQ 5.17.0 (including the Log4j version 2).
> 
> Given the volunteer nature of community support and how open-source works at Apache I'm not sure "an official release date" can be provided, at least not like you'd expect from a commercial software vendor. As noted on the users mailing list as well as the Log4j 2 upgrade PR [6] (linked from the aforementioned statement about CVE-2021-44228 [1]), the current plan is to put a release up for vote at the end of January. All community members can vote on the release for 3 days, and if the vote passes then the release should be done in early February.
> 
> I hope that helps!
> 
> 
> Justin
> 
> [1] https://activemq.apache.org/news/cve-2021-44228
> [2] https://issues.apache.org/jira/browse/AMQ-7370
> [3] https://issues.apache.org/jira/browse/AMQ-7426
> [4] https://activemq.apache.org/support
> [5] https://cwiki.apache.org/confluence/display/COMDEV/Position+Paper
> [6] https://github.com/apache/activemq/pull/662
> 
> On Thu, Jan 13, 2022 at 2:09 PM Knöringer, Ralf <ra...@atos.net.invalid>> wrote:
> To whom it may concern,
> 
> 
> 
> as a intensive user of the Apache technology in our enterprise architecture and product portfolio I may draw your attention to a critical issue.
> 
> Based on the known vulnerability CVE-2021-44228 in the Log4j Version 2 many of our large enterprise customers (e.g. Volkswagen Financial Services) are becoming very sensitive for the risk of using software elements not under maintenance.
> 
> 
> 
> Unfortunately we have this situation with the message broker ActiveMQ "Classic" (the latest versions 5.15.15 and 5.16.3) as there is an embedded use of the Log4j version 1.2.17.
> 
> 
> 
> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as Log4j 1.2.17 has not been maintained since August 2015.
> 
> (Here an existing security vulnerability, (CVE-2019-17571) is not fixed with the note "Users are urged to upgrade to Log4j 2".)
> 
> 
> 
> This situation will not be accepted by a number of large customers, which demand a timely exchange of this component to the officially released new Log4j version 2.
> 
> Therefore we ask you kindly to name and communicate an official release date for ActiveMQ 5.17.0 (including the Log4j version 2).
> 
> 
> 
> A timely answer is really appreciated as we think this could mitigate negative responses and create a positive feedback from the market.
> 
> 
> 
> Best regards
> 
> Ralf Knöringer
> Senior Manager
> Big Data & Cybersecurity - IAM
> M: +49 172 5229705
> Otto-Hahn-Ring 6, 81739 Munich - Germany
> atos.net<http://atos.net><https://atos.net/>
> 
> Atos Information Technology GmbH; Geschäftsführung: Udo Littke, Boris Hecker; Vorsitzender des Aufsichtsrats: N.N.; Sitz der Gesellschaft: München; Registergericht: Amtsgericht München, HRB 235509
> Atos Information Technology GmbH; Managing Directors: Udo Littke, Boris Hecker; Chairman of the Supervisory Board: N.N.; Registered office: Munich; Commercial register of the local court of Munich, HRB 235509
> Important notice: This e-mail and any attachment thereof contain corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank you.
> 

AW: Call for action - vulnerability (CVE-2021-44228,CVE-2019-17571) - Active MQ classic

["Knöringer, Ralf" <ra...@atos.net.INVALID>]

Hallo Justin,

Thank You for the clarification.
Of course I understand that there is no immediate vulnerability risk.
Nevertheless the widespread use of the component and the sensitivity of the security community on this issue must not to be underestimated.
Therefore a timely release of version 5.17 with updated log4j would help to reduce some uncertainties.

Best Regards
Ralf

Von: Justin Bertram <jb...@apache.org>>
Gesendet: Donnerstag, 13. Januar 2022 21:59
An: users@activemq.apache.org<ma...@activemq.apache.org>
Cc: apache@apache.org<ma...@apache.org>; Riechmann, Thomas <th...@atos.net>>; Höck, Ulrich <ul...@atos.net>>
Betreff: Re: Call for action - vulnerability (CVE-2021-44228,CVE-2019-17571) - Active MQ classic


Caution! External email. Do not open attachments or click links, unless this email comes from a known sender and you know the content is safe.
> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as Log4j 1.2.17 has not been maintained since August 2015.

The "official statement" [1] that you reference is only dealing with CVE-2021-44228. It's not a general statement about all the security vulnerabilities in Log4j 1.2.17. It remains a fact that Log4j 1.2.17 is not impacted by CVE-2021-44228.

> Here an existing security vulnerability, (CVE-2019-17571) is not fixed with the note "Users are urged to upgrade to Log4j 2".

Regarding CVE-2019-17571 you can read more on this Jira [2]. In short, as noted by Jean-Baptiste Onofré, "ActiveMQ is not affected as it doesn't use the SocketServer. However, I think it makes sense to update/support log4j2..." AMQ-7426 [3] was later created to track the work to upgrade to Log4j 2.

> This situation will not be accepted by a number of large customers, which demand a timely exchange of this component to the officially released new Log4j version 2.

Since you've sent this email to the public Apache ActiveMQ mailing lists you're dealing with "community support" as described on the ActiveMQ website [4]. As noted, this support is provided on a volunteer basis. Furthermore, in the spirit of open-source, all community members are encouraged (although certainly not required) to get involved. As noted in a recent position paper [5] from the Apache Software Foundation, "Community is defined by those who show up and do the work." I would strongly encourage your organization, as an "intensive user of the Apache technology," to avail itself of *all* the benefits of open source. With your help to "do the work" this issue could potentially have been resolved long ago.

> Therefore we ask you kindly to name and communicate an official release date for ActiveMQ 5.17.0 (including the Log4j version 2).

Given the volunteer nature of community support and how open-source works at Apache I'm not sure "an official release date" can be provided, at least not like you'd expect from a commercial software vendor. As noted on the users mailing list as well as the Log4j 2 upgrade PR [6] (linked from the aforementioned statement about CVE-2021-44228 [1]), the current plan is to put a release up for vote at the end of January. All community members can vote on the release for 3 days, and if the vote passes then the release should be done in early February.

I hope that helps!


Justin

[1] https://activemq.apache.org/news/cve-2021-44228
[2] https://issues.apache.org/jira/browse/AMQ-7370
[3] https://issues.apache.org/jira/browse/AMQ-7426
[4] https://activemq.apache.org/support
[5] https://cwiki.apache.org/confluence/display/COMDEV/Position+Paper
[6] https://github.com/apache/activemq/pull/662

On Thu, Jan 13, 2022 at 2:09 PM Knöringer, Ralf <ra...@atos.net.invalid>> wrote:
To whom it may concern,



as a intensive user of the Apache technology in our enterprise architecture and product portfolio I may draw your attention to a critical issue.

Based on the known vulnerability CVE-2021-44228 in the Log4j Version 2 many of our large enterprise customers (e.g. Volkswagen Financial Services) are becoming very sensitive for the risk of using software elements not under maintenance.



Unfortunately we have this situation with the message broker ActiveMQ "Classic" (the latest versions 5.15.15 and 5.16.3) as there is an embedded use of the Log4j version 1.2.17.



The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as Log4j 1.2.17 has not been maintained since August 2015.

(Here an existing security vulnerability, (CVE-2019-17571) is not fixed with the note "Users are urged to upgrade to Log4j 2".)



This situation will not be accepted by a number of large customers, which demand a timely exchange of this component to the officially released new Log4j version 2.

Therefore we ask you kindly to name and communicate an official release date for ActiveMQ 5.17.0 (including the Log4j version 2).



A timely answer is really appreciated as we think this could mitigate negative responses and create a positive feedback from the market.



Best regards

Ralf Knöringer
Senior Manager
Big Data & Cybersecurity - IAM
M: +49 172 5229705
Otto-Hahn-Ring 6, 81739 Munich - Germany
atos.net<http://atos.net><https://atos.net/>

Atos Information Technology GmbH; Geschäftsführung: Udo Littke, Boris Hecker; Vorsitzender des Aufsichtsrats: N.N.; Sitz der Gesellschaft: München; Registergericht: Amtsgericht München, HRB 235509
Atos Information Technology GmbH; Managing Directors: Udo Littke, Boris Hecker; Chairman of the Supervisory Board: N.N.; Registered office: Munich; Commercial register of the local court of Munich, HRB 235509
Important notice: This e-mail and any attachment thereof contain corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank you.