You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by Laurent Blanquet <lb...@b2btechno.net> on 2022/01/03 15:00:32 UTC
ActiveMQ 5.17 and log4j2
Hi Guys,
It seems that the latest version available is still using log4j 1.2.17.
Unfortunately we have a customer who has a strong requisite to migrate to log4j2 before 10 of January !
Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j 2.17 ?
Regards,
Laurent
RE: ActiveMQ 5.17 and log4j2
Posted by Laurent Blanquet <lb...@b2btechno.net>.
Hi JB and all,
@JB: It's very kind of you to propose to speak to the customer.
I will transmit your proposal and let you know.
From my vision, the security team of the company (big multinational) has edicted a rule and will apply it blindly at the end of the month.
I have already tried to explain the situation to them with the following links :
https://activemq.apache.org/news/cve-2021-44228
https://lists.apache.org/thread/l3wsj723ojd0rfn2mo15so5jjhxs92sp
and propose to use this trick (tested on ActiveMQ 5.6.13) to avoid any setup with simpleServer or JMSAppender :
https://stackoverflow.com/questions/70345869/how-to-mitigate-apache-log4j-deserialization-rce-cve-2019-17571
I'll keep you informed about the decision of my customer.
Many thx to all ... Apache rocks !
Laurent
-----Message d'origine-----
De : JB Onofré <jb...@nanthrax.net>
Envoyé : lundi 3 janvier 2022 19:03
À : dev@activemq.apache.org
Objet : Re: ActiveMQ 5.17 and log4j2
I don’t understand.
Again ActiveMQ 5.16 is NOT impacted by log4shell.
So why upgrading for that ?
And no, you won’t have 5.17.0 on 31/01 as I plan to start the vote on that date.
I would rather explain to your customer that ActiveMQ still use log4j 1 and so no need to update.
We already explained this several time on the mailing list.
If you want I can talk to you and your customer to explain and provide details.
Regards
JB
> Le 3 janv. 2022 à 18:35, Laurent Blanquet <lb...@b2btechno.net> a écrit :
>
> In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why they want to migrate.
>
> Good news: we've obtained a deadline to 31/01/2022.
>
> Are you confident guys that we'll have the 5.17 release for this date or do we have to develop some kind of patch ?
>
> Regards,
>
> Laurent
> -----Message d'origine-----
> De : Jean-Baptiste Onofré <jb...@nanthrax.net> Envoyé : lundi 3 janvier
> 2022 18:00 À : dev@activemq.apache.org Objet : Re: ActiveMQ 5.17 and
> log4j2
>
> Log4j2 is only impacted, not log4j 1.x.
>
> It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell vulnerability.
>
> Regards
> JB
>
>> On 03/01/2022 17:30, Xeno Amess wrote:
>> Just show the log4j2 cve list to that customer, and persuade him no hurry to migrate.
>>
>> XenoAmess
>> ________________________________
>> From: JB Onofré <jb...@nanthrax.net>
>> Sent: Monday, January 3, 2022 11:31:30 PM
>> To: dev@activemq.apache.org <de...@activemq.apache.org>
>> Subject: Re: ActiveMQ 5.17 and log4j2
>>
>> About 5.16 no way: it’s log4j 1.x
>>
>> And log4j 1.x is not impacted by log4shell vulnerability so no need to update.
>>
>> Regards
>> JB
>>
>>>> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lb...@b2btechno.net> a écrit :
>>>
>>> Hi Guys,
>>>
>>> It seems that the latest version available is still using log4j 1.2.17.
>>>
>>> Unfortunately we have a customer who has a strong requisite to migrate to log4j2 before 10 of January !
>>>
>>> Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j 2.17 ?
>>>
>>> Regards,
>>>
>>> Laurent
>>
Re: ActiveMQ 5.17 and log4j2
Posted by Jean-Baptiste Onofre <jb...@nanthrax.net>.
That’s unrelated: it’s different and not critical as log4shell.
So, just to be clear:
- upgrading to ActiveMQ 5.17.0 regarding log4shell doesn’t make sense to me, as ActiveMQ 5.15/5.16 are not impacted
- as ActiveMQ 5.17.0 is a big change compare to 5.16 (it’s a larger jump than from 5.15 to 5.16), I don’t think it’s a good idea to upgrade “just for log4j”
- I won’t take any pressure about timing, as we include lot of changes, and still some work to do. Target date is end of January.
So, I stay on my standpoint: just stay with ActiveMQ 5.16.3 (5.16.4 is also in preparation), it’s more secure than directly jump to 5.17.0.
Regards
JB
> Le 3 janv. 2022 à 19:09, Xeno Amess <xe...@gmail.com> a écrit :
>
> well log4j1 has its own vulnerabilities too.
>
> Xeno Amess <xe...@gmail.com> 于2022年1月4日周二 02:09写道:
> he is complaining about this
>
>
> JB Onofré <jb...@nanthrax.net> 于2022年1月4日周二 02:03写道:
> I don’t understand.
>
> Again ActiveMQ 5.16 is NOT impacted by log4shell.
>
> So why upgrading for that ?
>
> And no, you won’t have 5.17.0 on 31/01 as I plan to start the vote on that date.
>
> I would rather explain to your customer that ActiveMQ still use log4j 1 and so no need to update.
>
> We already explained this several time on the mailing list.
>
> If you want I can talk to you and your customer to explain and provide details.
>
> Regards
> JB
>
> > Le 3 janv. 2022 à 18:35, Laurent Blanquet <lb...@b2btechno.net> a écrit :
> >
> > In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why they want to migrate.
> >
> > Good news: we've obtained a deadline to 31/01/2022.
> >
> > Are you confident guys that we'll have the 5.17 release for this date or do we have to develop some kind of patch ?
> >
> > Regards,
> >
> > Laurent
> > -----Message d'origine-----
> > De : Jean-Baptiste Onofré <jb...@nanthrax.net>
> > Envoyé : lundi 3 janvier 2022 18:00
> > À : dev@activemq.apache.org
> > Objet : Re: ActiveMQ 5.17 and log4j2
> >
> > Log4j2 is only impacted, not log4j 1.x.
> >
> > It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell vulnerability.
> >
> > Regards
> > JB
> >
> >> On 03/01/2022 17:30, Xeno Amess wrote:
> >> Just show the log4j2 cve list to that customer, and persuade him no hurry to migrate.
> >>
> >> XenoAmess
> >> ________________________________
> >> From: JB Onofré <jb...@nanthrax.net>
> >> Sent: Monday, January 3, 2022 11:31:30 PM
> >> To: dev@activemq.apache.org <de...@activemq.apache.org>
> >> Subject: Re: ActiveMQ 5.17 and log4j2
> >>
> >> About 5.16 no way: it’s log4j 1.x
> >>
> >> And log4j 1.x is not impacted by log4shell vulnerability so no need to update.
> >>
> >> Regards
> >> JB
> >>
> >>>> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lb...@b2btechno.net> a écrit :
> >>>
> >>> Hi Guys,
> >>>
> >>> It seems that the latest version available is still using log4j 1.2.17.
> >>>
> >>> Unfortunately we have a customer who has a strong requisite to migrate to log4j2 before 10 of January !
> >>>
> >>> Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j 2.17 ?
> >>>
> >>> Regards,
> >>>
> >>> Laurent
> >>
>
Re: ActiveMQ 5.17 and log4j2
Posted by Xeno Amess <xe...@gmail.com>.
well log4j1 has its own vulnerabilities too.
Xeno Amess <xe...@gmail.com> 于2022年1月4日周二 02:09写道:
> he is complaining about this
> [image: image.png]
>
> JB Onofré <jb...@nanthrax.net> 于2022年1月4日周二 02:03写道:
>
>> I don’t understand.
>>
>> Again ActiveMQ 5.16 is NOT impacted by log4shell.
>>
>> So why upgrading for that ?
>>
>> And no, you won’t have 5.17.0 on 31/01 as I plan to start the vote on
>> that date.
>>
>> I would rather explain to your customer that ActiveMQ still use log4j 1
>> and so no need to update.
>>
>> We already explained this several time on the mailing list.
>>
>> If you want I can talk to you and your customer to explain and provide
>> details.
>>
>> Regards
>> JB
>>
>> > Le 3 janv. 2022 à 18:35, Laurent Blanquet <lb...@b2btechno.net> a
>> écrit :
>> >
>> > In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why
>> they want to migrate.
>> >
>> > Good news: we've obtained a deadline to 31/01/2022.
>> >
>> > Are you confident guys that we'll have the 5.17 release for this date
>> or do we have to develop some kind of patch ?
>> >
>> > Regards,
>> >
>> > Laurent
>> > -----Message d'origine-----
>> > De : Jean-Baptiste Onofré <jb...@nanthrax.net>
>> > Envoyé : lundi 3 janvier 2022 18:00
>> > À : dev@activemq.apache.org
>> > Objet : Re: ActiveMQ 5.17 and log4j2
>> >
>> > Log4j2 is only impacted, not log4j 1.x.
>> >
>> > It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell
>> vulnerability.
>> >
>> > Regards
>> > JB
>> >
>> >> On 03/01/2022 17:30, Xeno Amess wrote:
>> >> Just show the log4j2 cve list to that customer, and persuade him no
>> hurry to migrate.
>> >>
>> >> XenoAmess
>> >> ________________________________
>> >> From: JB Onofré <jb...@nanthrax.net>
>> >> Sent: Monday, January 3, 2022 11:31:30 PM
>> >> To: dev@activemq.apache.org <de...@activemq.apache.org>
>> >> Subject: Re: ActiveMQ 5.17 and log4j2
>> >>
>> >> About 5.16 no way: it’s log4j 1.x
>> >>
>> >> And log4j 1.x is not impacted by log4shell vulnerability so no need to
>> update.
>> >>
>> >> Regards
>> >> JB
>> >>
>> >>>> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lb...@b2btechno.net>
>> a écrit :
>> >>>
>> >>> Hi Guys,
>> >>>
>> >>> It seems that the latest version available is still using log4j
>> 1.2.17.
>> >>>
>> >>> Unfortunately we have a customer who has a strong requisite to
>> migrate to log4j2 before 10 of January !
>> >>>
>> >>> Is there a (simple) mean to force this version (or 5.16.3 ?) to use
>> log4j 2.17 ?
>> >>>
>> >>> Regards,
>> >>>
>> >>> Laurent
>> >>
>>
>>
Re: ActiveMQ 5.17 and log4j2
Posted by Justin Bertram <jb...@apache.org>.
FWIW your image.png didn't come through. I don't believe the mailing list
supports attachments.
Justin
On Mon, Jan 3, 2022 at 12:15 PM Xeno Amess <xe...@gmail.com> wrote:
> he is complaining about this
> [image: image.png]
>
> JB Onofré <jb...@nanthrax.net> 于2022年1月4日周二 02:03写道:
>
>> I don’t understand.
>>
>> Again ActiveMQ 5.16 is NOT impacted by log4shell.
>>
>> So why upgrading for that ?
>>
>> And no, you won’t have 5.17.0 on 31/01 as I plan to start the vote on
>> that date.
>>
>> I would rather explain to your customer that ActiveMQ still use log4j 1
>> and so no need to update.
>>
>> We already explained this several time on the mailing list.
>>
>> If you want I can talk to you and your customer to explain and provide
>> details.
>>
>> Regards
>> JB
>>
>> > Le 3 janv. 2022 à 18:35, Laurent Blanquet <lb...@b2btechno.net> a
>> écrit :
>> >
>> > In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why
>> they want to migrate.
>> >
>> > Good news: we've obtained a deadline to 31/01/2022.
>> >
>> > Are you confident guys that we'll have the 5.17 release for this date
>> or do we have to develop some kind of patch ?
>> >
>> > Regards,
>> >
>> > Laurent
>> > -----Message d'origine-----
>> > De : Jean-Baptiste Onofré <jb...@nanthrax.net>
>> > Envoyé : lundi 3 janvier 2022 18:00
>> > À : dev@activemq.apache.org
>> > Objet : Re: ActiveMQ 5.17 and log4j2
>> >
>> > Log4j2 is only impacted, not log4j 1.x.
>> >
>> > It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell
>> vulnerability.
>> >
>> > Regards
>> > JB
>> >
>> >> On 03/01/2022 17:30, Xeno Amess wrote:
>> >> Just show the log4j2 cve list to that customer, and persuade him no
>> hurry to migrate.
>> >>
>> >> XenoAmess
>> >> ________________________________
>> >> From: JB Onofré <jb...@nanthrax.net>
>> >> Sent: Monday, January 3, 2022 11:31:30 PM
>> >> To: dev@activemq.apache.org <de...@activemq.apache.org>
>> >> Subject: Re: ActiveMQ 5.17 and log4j2
>> >>
>> >> About 5.16 no way: it’s log4j 1.x
>> >>
>> >> And log4j 1.x is not impacted by log4shell vulnerability so no need to
>> update.
>> >>
>> >> Regards
>> >> JB
>> >>
>> >>>> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lb...@b2btechno.net>
>> a écrit :
>> >>>
>> >>> Hi Guys,
>> >>>
>> >>> It seems that the latest version available is still using log4j
>> 1.2.17.
>> >>>
>> >>> Unfortunately we have a customer who has a strong requisite to
>> migrate to log4j2 before 10 of January !
>> >>>
>> >>> Is there a (simple) mean to force this version (or 5.16.3 ?) to use
>> log4j 2.17 ?
>> >>>
>> >>> Regards,
>> >>>
>> >>> Laurent
>> >>
>>
>>
Re: ActiveMQ 5.17 and log4j2
Posted by Xeno Amess <xe...@gmail.com>.
he is complaining about this
[image: image.png]
JB Onofré <jb...@nanthrax.net> 于2022年1月4日周二 02:03写道:
> I don’t understand.
>
> Again ActiveMQ 5.16 is NOT impacted by log4shell.
>
> So why upgrading for that ?
>
> And no, you won’t have 5.17.0 on 31/01 as I plan to start the vote on that
> date.
>
> I would rather explain to your customer that ActiveMQ still use log4j 1
> and so no need to update.
>
> We already explained this several time on the mailing list.
>
> If you want I can talk to you and your customer to explain and provide
> details.
>
> Regards
> JB
>
> > Le 3 janv. 2022 à 18:35, Laurent Blanquet <lb...@b2btechno.net> a
> écrit :
> >
> > In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why
> they want to migrate.
> >
> > Good news: we've obtained a deadline to 31/01/2022.
> >
> > Are you confident guys that we'll have the 5.17 release for this date or
> do we have to develop some kind of patch ?
> >
> > Regards,
> >
> > Laurent
> > -----Message d'origine-----
> > De : Jean-Baptiste Onofré <jb...@nanthrax.net>
> > Envoyé : lundi 3 janvier 2022 18:00
> > À : dev@activemq.apache.org
> > Objet : Re: ActiveMQ 5.17 and log4j2
> >
> > Log4j2 is only impacted, not log4j 1.x.
> >
> > It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell
> vulnerability.
> >
> > Regards
> > JB
> >
> >> On 03/01/2022 17:30, Xeno Amess wrote:
> >> Just show the log4j2 cve list to that customer, and persuade him no
> hurry to migrate.
> >>
> >> XenoAmess
> >> ________________________________
> >> From: JB Onofré <jb...@nanthrax.net>
> >> Sent: Monday, January 3, 2022 11:31:30 PM
> >> To: dev@activemq.apache.org <de...@activemq.apache.org>
> >> Subject: Re: ActiveMQ 5.17 and log4j2
> >>
> >> About 5.16 no way: it’s log4j 1.x
> >>
> >> And log4j 1.x is not impacted by log4shell vulnerability so no need to
> update.
> >>
> >> Regards
> >> JB
> >>
> >>>> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lb...@b2btechno.net>
> a écrit :
> >>>
> >>> Hi Guys,
> >>>
> >>> It seems that the latest version available is still using log4j 1.2.17.
> >>>
> >>> Unfortunately we have a customer who has a strong requisite to migrate
> to log4j2 before 10 of January !
> >>>
> >>> Is there a (simple) mean to force this version (or 5.16.3 ?) to use
> log4j 2.17 ?
> >>>
> >>> Regards,
> >>>
> >>> Laurent
> >>
>
>
Re: ActiveMQ 5.17 and log4j2
Posted by JB Onofré <jb...@nanthrax.net>.
I don’t understand.
Again ActiveMQ 5.16 is NOT impacted by log4shell.
So why upgrading for that ?
And no, you won’t have 5.17.0 on 31/01 as I plan to start the vote on that date.
I would rather explain to your customer that ActiveMQ still use log4j 1 and so no need to update.
We already explained this several time on the mailing list.
If you want I can talk to you and your customer to explain and provide details.
Regards
JB
> Le 3 janv. 2022 à 18:35, Laurent Blanquet <lb...@b2btechno.net> a écrit :
>
> In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why they want to migrate.
>
> Good news: we've obtained a deadline to 31/01/2022.
>
> Are you confident guys that we'll have the 5.17 release for this date or do we have to develop some kind of patch ?
>
> Regards,
>
> Laurent
> -----Message d'origine-----
> De : Jean-Baptiste Onofré <jb...@nanthrax.net>
> Envoyé : lundi 3 janvier 2022 18:00
> À : dev@activemq.apache.org
> Objet : Re: ActiveMQ 5.17 and log4j2
>
> Log4j2 is only impacted, not log4j 1.x.
>
> It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell vulnerability.
>
> Regards
> JB
>
>> On 03/01/2022 17:30, Xeno Amess wrote:
>> Just show the log4j2 cve list to that customer, and persuade him no hurry to migrate.
>>
>> XenoAmess
>> ________________________________
>> From: JB Onofré <jb...@nanthrax.net>
>> Sent: Monday, January 3, 2022 11:31:30 PM
>> To: dev@activemq.apache.org <de...@activemq.apache.org>
>> Subject: Re: ActiveMQ 5.17 and log4j2
>>
>> About 5.16 no way: it’s log4j 1.x
>>
>> And log4j 1.x is not impacted by log4shell vulnerability so no need to update.
>>
>> Regards
>> JB
>>
>>>> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lb...@b2btechno.net> a écrit :
>>>
>>> Hi Guys,
>>>
>>> It seems that the latest version available is still using log4j 1.2.17.
>>>
>>> Unfortunately we have a customer who has a strong requisite to migrate to log4j2 before 10 of January !
>>>
>>> Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j 2.17 ?
>>>
>>> Regards,
>>>
>>> Laurent
>>
Re: ActiveMQ 5.17 and log4j2
Posted by Justin Bertram <jb...@apache.org>.
> In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why
they want to migrate.
It's worth noting that CVE-2019-17571 doesn't impact ActiveMQ 5.x since it
doesn't use the Log4j SocketServer. See more here [1]. Also, CVE-2021-4104
only affects Log4j 1.2 when it is specifically configured to use the
JMSAppender (which is not enabled by default). In my opinion it would be
quite odd to configure the logging for ActiveMQ to use the JMSAppender so
your customer probably has nothing to worry about here.
JB is managing the release of 5.17.0. I'm not sure how confident he is that
it will be done by the end of the month.
Justin
[1] https://issues.apache.org/jira/browse/AMQ-7370
On Mon, Jan 3, 2022 at 11:41 AM Laurent Blanquet <lb...@b2btechno.net>
wrote:
> In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why
> they want to migrate.
>
> Good news: we've obtained a deadline to 31/01/2022.
>
> Are you confident guys that we'll have the 5.17 release for this date or
> do we have to develop some kind of patch ?
>
> Regards,
>
> Laurent
> -----Message d'origine-----
> De : Jean-Baptiste Onofré <jb...@nanthrax.net>
> Envoyé : lundi 3 janvier 2022 18:00
> À : dev@activemq.apache.org
> Objet : Re: ActiveMQ 5.17 and log4j2
>
> Log4j2 is only impacted, not log4j 1.x.
>
> It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell
> vulnerability.
>
> Regards
> JB
>
> On 03/01/2022 17:30, Xeno Amess wrote:
> > Just show the log4j2 cve list to that customer, and persuade him no
> hurry to migrate.
> >
> > XenoAmess
> > ________________________________
> > From: JB Onofré <jb...@nanthrax.net>
> > Sent: Monday, January 3, 2022 11:31:30 PM
> > To: dev@activemq.apache.org <de...@activemq.apache.org>
> > Subject: Re: ActiveMQ 5.17 and log4j2
> >
> > About 5.16 no way: it’s log4j 1.x
> >
> > And log4j 1.x is not impacted by log4shell vulnerability so no need to
> update.
> >
> > Regards
> > JB
> >
> >> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lb...@b2btechno.net> a
> écrit :
> >>
> >> Hi Guys,
> >>
> >> It seems that the latest version available is still using log4j 1.2.17.
> >>
> >> Unfortunately we have a customer who has a strong requisite to migrate
> to log4j2 before 10 of January !
> >>
> >> Is there a (simple) mean to force this version (or 5.16.3 ?) to use
> log4j 2.17 ?
> >>
> >> Regards,
> >>
> >> Laurent
> >
>
RE: ActiveMQ 5.17 and log4j2
Posted by Laurent Blanquet <lb...@b2btechno.net>.
In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why they want to migrate.
Good news: we've obtained a deadline to 31/01/2022.
Are you confident guys that we'll have the 5.17 release for this date or do we have to develop some kind of patch ?
Regards,
Laurent
-----Message d'origine-----
De : Jean-Baptiste Onofré <jb...@nanthrax.net>
Envoyé : lundi 3 janvier 2022 18:00
À : dev@activemq.apache.org
Objet : Re: ActiveMQ 5.17 and log4j2
Log4j2 is only impacted, not log4j 1.x.
It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell vulnerability.
Regards
JB
On 03/01/2022 17:30, Xeno Amess wrote:
> Just show the log4j2 cve list to that customer, and persuade him no hurry to migrate.
>
> XenoAmess
> ________________________________
> From: JB Onofré <jb...@nanthrax.net>
> Sent: Monday, January 3, 2022 11:31:30 PM
> To: dev@activemq.apache.org <de...@activemq.apache.org>
> Subject: Re: ActiveMQ 5.17 and log4j2
>
> About 5.16 no way: it’s log4j 1.x
>
> And log4j 1.x is not impacted by log4shell vulnerability so no need to update.
>
> Regards
> JB
>
>> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lb...@b2btechno.net> a écrit :
>>
>> Hi Guys,
>>
>> It seems that the latest version available is still using log4j 1.2.17.
>>
>> Unfortunately we have a customer who has a strong requisite to migrate to log4j2 before 10 of January !
>>
>> Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j 2.17 ?
>>
>> Regards,
>>
>> Laurent
>
Re: ActiveMQ 5.17 and log4j2
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Log4j2 is only impacted, not log4j 1.x.
It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell
vulnerability.
Regards
JB
On 03/01/2022 17:30, Xeno Amess wrote:
> Just show the log4j2 cve list to that customer, and persuade him no hurry to migrate.
>
> XenoAmess
> ________________________________
> From: JB Onofré <jb...@nanthrax.net>
> Sent: Monday, January 3, 2022 11:31:30 PM
> To: dev@activemq.apache.org <de...@activemq.apache.org>
> Subject: Re: ActiveMQ 5.17 and log4j2
>
> About 5.16 no way: it’s log4j 1.x
>
> And log4j 1.x is not impacted by log4shell vulnerability so no need to update.
>
> Regards
> JB
>
>> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lb...@b2btechno.net> a écrit :
>>
>> Hi Guys,
>>
>> It seems that the latest version available is still using log4j 1.2.17.
>>
>> Unfortunately we have a customer who has a strong requisite to migrate to log4j2 before 10 of January !
>>
>> Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j 2.17 ?
>>
>> Regards,
>>
>> Laurent
>
Re: ActiveMQ 5.17 and log4j2
Posted by Xeno Amess <xe...@gmail.com>.
Just show the log4j2 cve list to that customer, and persuade him no hurry to migrate.
XenoAmess
________________________________
From: JB Onofré <jb...@nanthrax.net>
Sent: Monday, January 3, 2022 11:31:30 PM
To: dev@activemq.apache.org <de...@activemq.apache.org>
Subject: Re: ActiveMQ 5.17 and log4j2
About 5.16 no way: it’s log4j 1.x
And log4j 1.x is not impacted by log4shell vulnerability so no need to update.
Regards
JB
> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lb...@b2btechno.net> a écrit :
>
> Hi Guys,
>
> It seems that the latest version available is still using log4j 1.2.17.
>
> Unfortunately we have a customer who has a strong requisite to migrate to log4j2 before 10 of January !
>
> Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j 2.17 ?
>
> Regards,
>
> Laurent
Re: ActiveMQ 5.17 and log4j2
Posted by JB Onofré <jb...@nanthrax.net>.
About 5.16 no way: it’s log4j 1.x
And log4j 1.x is not impacted by log4shell vulnerability so no need to update.
Regards
JB
> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lb...@b2btechno.net> a écrit :
>
> Hi Guys,
>
> It seems that the latest version available is still using log4j 1.2.17.
>
> Unfortunately we have a customer who has a strong requisite to migrate to log4j2 before 10 of January !
>
> Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j 2.17 ?
>
> Regards,
>
> Laurent
Re: ActiveMQ 5.17 and log4j2
Posted by JB Onofré <jb...@nanthrax.net>.
I have a PR about upgrading to log4j 2.17.1 but I didn’t merge it yet.
I will in the coming days.
Regards
JB
> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lb...@b2btechno.net> a écrit :
>
> Hi Guys,
>
> It seems that the latest version available is still using log4j 1.2.17.
>
> Unfortunately we have a customer who has a strong requisite to migrate to log4j2 before 10 of January !
>
> Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j 2.17 ?
>
> Regards,
>
> Laurent
Re: ActiveMQ 5.17 and log4j2
Posted by Justin Bertram <jb...@apache.org>.
Version 5.17 hasn't even been released yet so it's not possible to say what
exact version of Log4j it will be using. As noted on the website [1] and in
this PR [2] 5.17 *will* be using Log4j 2.x.
Justin
[1] https://activemq.apache.org/news/cve-2021-44228
[2] https://github.com/apache/activemq/pull/662
On Mon, Jan 3, 2022 at 9:07 AM Laurent Blanquet <lb...@b2btechno.net>
wrote:
> Hi Guys,
>
> It seems that the latest version available is still using log4j 1.2.17.
>
> Unfortunately we have a customer who has a strong requisite to migrate to
> log4j2 before 10 of January !
>
> Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j
> 2.17 ?
>
> Regards,
>
> Laurent
>