You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by jb...@apache.org on 2021/12/14 20:56:12 UTC
[activemq-website] branch main updated: Update to address CVE-2021-44228
This is an automated email from the ASF dual-hosted git repository.
jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/main by this push:
new 9547500 Update to address CVE-2021-44228
9547500 is described below
commit 9547500c9bb966b4a9eadcabddf0f5d6a0c044d3
Author: Justin Bertram <jb...@apache.org>
AuthorDate: Tue Dec 14 14:55:52 2021 -0600
Update to address CVE-2021-44228
---
src/_news/CVE-2021-44228.md | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/_news/CVE-2021-44228.md b/src/_news/CVE-2021-44228.md
new file mode 100644
index 0000000..246793e
--- /dev/null
+++ b/src/_news/CVE-2021-44228.md
@@ -0,0 +1,12 @@
+---
+release_date: 2021-12-14
+title: Update on CVE-2021-44228
+shortDescription:
+title-class: page-title-main
+type: main
+---
+[CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) was recently announced and it has caused quite a bit of traffic on the mailing lists and in Jira from users curious about its impact on both ActiveMQ "Classic" and Artemis. In short, **CVE-2021-44228 has no impact on any ActiveMQ broker** because no ActiveMQ broker uses any version of Log4j2. To reiterate, **no action is required to mitigate CVE-2021-44228**.
+
+ActiveMQ "Classic" *does* use Log4j for logging, but the latest versions (i.e. [5.15.15](https://activemq.apache.org/activemq-5015015-release) and [5.16.3](https://activemq.apache.org/activemq-5016003-release)) use Log4j 1.2.17 which is not impacted by CVE-2021-44228. This version of Log4j has been used since 5.7.0. The upcoming ActiveMQ [5.17.0](https://github.com/apache/activemq/tree/main) [will use Log4j2](https://github.com/apache/activemq/pull/662), but the pull request will be upda [...]
+
+ActiveMQ Artemis *does not* use Log4j for logging. However, Log4j 1.2.17 is included in the Hawtio-based web console application archive (i.e. `web/console.war/WEB-INF/lib`). Although this version of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be updated so that the Log4j jar is no longer included in the web console application archive.