You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@activemq.apache.org by Chad Broadus <Ch...@finvi.com> on 2021/12/16 18:10:52 UTC

Apache.NMS.ActiveMQ Log4j vulnerability

Is either Apache.NMS 1.8 or Apache.NMS.ActiveMQ 1.8 vulnerable to the log4j exploit?
Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.

Re: Apache.NMS.ActiveMQ Log4j vulnerability

Posted by Justin Bertram <jb...@apache.org>.

The various Apache NMS projects from ActiveMQ are based on .NET (using C#).
Log4j is a *Java* library. Therefore, no NMS project will even be using
Log4j.

Also, in general it is important to be specific when discussing security
issues. You simply say "Log4j vulnerability" and "log4j exploit", but there
are numerous CVEs for Log4j. You should be specific about which one you're
concerned about. I assume here that you're concerned about CVE-2021-44228
in which case you can find further details on the ActiveMQ website [1].

Justin

[1] https://activemq.apache.org/news/cve-2021-44228

On Thu, Dec 16, 2021 at 12:16 PM Chad Broadus <Ch...@finvi.com>
wrote:

> Is either Apache.NMS 1.8 or Apache.NMS.ActiveMQ 1.8 vulnerable to the
> log4j exploit?
> Attention: This message and all attachments are private and may contain
> information that is confidential and privileged. If you received this
> message in error, please notify the sender by reply email and delete the
> message immediately.
>
>