You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Christopher L. Shannon (Jira)" <ji...@apache.org> on 2022/02/01 11:29:00 UTC

[jira] [Closed] (AMQ-8449) apache-activemq-5.16.3 - How to upgrade Log4j-1.2.17.1 to Log4J 2.x to fix log4j related security issue

     [ https://issues.apache.org/jira/browse/AMQ-8449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Christopher L. Shannon closed AMQ-8449.
---------------------------------------
    Resolution: Duplicate

Closing this as a duplicate as there's already been a ton of discussion on this and Jiras opened.

Information about Log4j 1.x, the upgrade to 2.x and how the CVEs affect AMQ have been answered over and over again (I've lost count how many times) on the mailing lists already.

You can get info on the mailing lists here: https://activemq.apache.org/contact

There's also information here: https://activemq.apache.org/news/cve-2021-44228

> apache-activemq-5.16.3 - How to upgrade Log4j-1.2.17.1 to Log4J 2.x to fix log4j related security issue
> -------------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-8449
>                 URL: https://issues.apache.org/jira/browse/AMQ-8449
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: AMQP
>    Affects Versions: 5.16.3
>         Environment: log4j-1.2.17.1.jar file exists in "apache-activemq-5.16.3\lib\optional" folder which was flagged by security team for vulnerability issue...
> Please advice how to upgrade this to the latest log4j 2.x to fix vulnerability issues.
>            Reporter: Srinivasa Yadlapalli
>            Priority: Critical
>
> log4j-1.2.17.1.jar file exists in "apache-activemq-5.16.3\lib\optional" folder which was flagged by security team for vulnerability issue...
> Please advice how to upgrade this to the latest log4j 2.x to fix vulnerability issues.
> The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to Deserialization of Untrusted Data. The configureHierarchy and genericHierarchy methods in SocketServer.class do not verify if the file at a given file path contains any untrusted objects prior to deserializing them. A remote attacker can exploit this vulnerability by providing a path to crafted files, which result in arbitrary code execution when deserialized. 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)