You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by jb...@apache.org on 2021/12/16 17:59:41 UTC
[activemq-website] branch main updated: Update for clarity and accuracy.
This is an automated email from the ASF dual-hosted git repository.
jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/main by this push:
new ec5d1a1 Update for clarity and accuracy.
ec5d1a1 is described below
commit ec5d1a1ba564df81b307ad24efca4ab883f67015
Author: Justin Bertram <jb...@apache.org>
AuthorDate: Thu Dec 16 11:59:33 2021 -0600
Update for clarity and accuracy.
---
src/_news/CVE-2021-44228.md | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/_news/CVE-2021-44228.md b/src/_news/CVE-2021-44228.md
index 246793e..2c7cc4b 100644
--- a/src/_news/CVE-2021-44228.md
+++ b/src/_news/CVE-2021-44228.md
@@ -5,8 +5,12 @@ shortDescription:
title-class: page-title-main
type: main
---
+#### Summary
+
[CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) was recently announced and it has caused quite a bit of traffic on the mailing lists and in Jira from users curious about its impact on both ActiveMQ "Classic" and Artemis. In short, **CVE-2021-44228 has no impact on any ActiveMQ broker** because no ActiveMQ broker uses any version of Log4j2. To reiterate, **no action is required to mitigate CVE-2021-44228**.
-ActiveMQ "Classic" *does* use Log4j for logging, but the latest versions (i.e. [5.15.15](https://activemq.apache.org/activemq-5015015-release) and [5.16.3](https://activemq.apache.org/activemq-5016003-release)) use Log4j 1.2.17 which is not impacted by CVE-2021-44228. This version of Log4j has been used since 5.7.0. The upcoming ActiveMQ [5.17.0](https://github.com/apache/activemq/tree/main) [will use Log4j2](https://github.com/apache/activemq/pull/662), but the pull request will be upda [...]
+#### Additional Details
+
+ActiveMQ "Classic" *does* use Log4j for logging, but the latest versions (i.e. [5.15.15](https://activemq.apache.org/activemq-5015015-release) and [5.16.3](https://activemq.apache.org/activemq-5016003-release)) use Log4j 1.2.17 which is not impacted by CVE-2021-44228. This version of Log4j has been used since 5.7.0. The upcoming ActiveMQ [5.17.0](https://github.com/apache/activemq/tree/main) [will use Log4j2](https://github.com/apache/activemq/pull/662), but the pull request will be upda [...]
-ActiveMQ Artemis *does not* use Log4j for logging. However, Log4j 1.2.17 is included in the Hawtio-based web console application archive (i.e. `web/console.war/WEB-INF/lib`). Although this version of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be updated so that the Log4j jar is no longer included in the web console application archive.
+ActiveMQ Artemis *does not* use Log4j for logging. However, Log4j 1.2.17 is included in the Hawtio-based web console application archive (i.e. `web/console.war/WEB-INF/lib`). Although this version of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be updated so that the Log4j jar is no longer included in the web console application archive. See [ARTEMIS-3612](https://issues.apache.org/jira/browse/ARTEMIS-3612) for more information on that task.