You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Lionel Cons <li...@cern.ch> on 2021/12/13 08:59:49 UTC
ActiveMQ 5.16 and log4j vulnerabilities
Recently, a new critical vulnerability has been published for log4j: CVE-2021-44228.
I’ve read different things from different sources.
According to Red Hat (https://access.redhat.com/security/cve/cve-2021-44228 <https://access.redhat.com/security/cve/cve-2021-44228>): "This issue only affects log4j versions between 2.0 and 2.14.1”.
According to GitHub (https://github.com/advisories/GHSA-jfh8-c2jp-5v3q <https://github.com/advisories/GHSA-jfh8-c2jp-5v3q>): "Any Log4J version prior to v2.15.0 is affected to this specific issue.” and, more explicitly, “ The v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.15.0 where possible.”.
It seems that ActiveMQ 5.16 uses log4j 1.2.17.
Could we please get an official statement about ActiveMQ’s security wrt log4j?
Thanks!
Lionel
Re: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
Posted by Justin Bertram <jb...@apache.org>.
> We are using ActiveMQ Classic 5.15.4. Thus, we need to upgrade to either
ActiveMQ Classic 5.15.15 or 5.16.3, correct?
That is *not* correct. Did you happen to take a look at the documentation
[1] on this which I linked? There are some highlighted statements which
answer your question specifically.
Justin
[1] https://activemq.apache.org/news/cve-2021-44228
On Wed, Dec 15, 2021 at 3:06 PM Gunawan, Rahman (GSFC-703.H)[BUSINESS
INTEGRA, INC.] <ra...@nasa.gov.invalid> wrote:
> We are using ActiveMQ Classic 5.15.4. Thus, we need to upgrade to either
> ActiveMQ Classic 5.15.15 or 5.16.3, correct?
>
> Thanks
>
> Regards,
> Rahman
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Wednesday, December 15, 2021 3:58 PM
> To: users@activemq.apache.org
> Subject: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
>
> > Could we please get an official statement about ActiveMQ's security
> > wrt
> log4j?
>
> To be clear, this [1] is the official statement you requested.
>
>
> Justin
>
> [1]
> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fnews%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=mCVIgj8N5XWahk4qo5FyGuEmUJZ%2F%2BayKF7hY4zrKAEM%3D&reserved=0
>
> On Mon, Dec 13, 2021 at 3:00 AM Lionel Cons <li...@cern.ch> wrote:
>
> > Recently, a new critical vulnerability has been published for log4j:
> > CVE-2021-44228.
> >
> > I've read different things from different sources.
> >
> > According to Red Hat (
> > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Facce
> > ss.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crah
> > man.gunawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845
> > be48ae8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbG
> > Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
> > 3D%7C3000&sdata=wPtAF44YDYB2ZeRJeIN6DL8VfeqcY0wkKR%2BzDCkgA5U%3D&a
> > mp;reserved=0 <
> > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Facce
> > ss.redhat.com
> %2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%
> 40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wPtAF44YDYB2ZeRJeIN6DL8VfeqcY0wkKR%2BzDCkgA5U%3D&reserved=0>):
> "This issue only affects log4j versions between 2.0 and 2.14.1".
> >
> > According to GitHub
> > (https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit
> > hub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.g
> > unawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48a
> > e8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d
> > 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C
> > 3000&sdata=N1%2F9pDKJM9B%2BBsUamqUJSsXM8zRVCCM4sNcEq94YLqE%3D&
> > reserved=0 <
> > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> > ub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gu
> > nawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48ae
> > 8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d8
> > eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3
> > 000&sdata=N1%2F9pDKJM9B%2BBsUamqUJSsXM8zRVCCM4sNcEq94YLqE%3D&r
> > eserved=0>): "Any Log4J version prior to v2.15.0 is affected to this
> > specific issue." and, more explicitly, " The v1 branch of Log4J which
> > is considered End Of Life (EOL) is vulnerable to other RCE vectors so
> > the recommendation is to still update to
> > 2.15.0 where possible.".
> >
> > It seems that ActiveMQ 5.16 uses log4j 1.2.17.
> >
> > Could we please get an official statement about ActiveMQ's security
> > wrt log4j?
> >
> > Thanks!
> >
> > Lionel
>
>
RE: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
Posted by "Gunawan, Rahman (GSFC-703.H)[BUSINESS INTEGRA, INC.]" <ra...@nasa.gov.INVALID>.
We are using ActiveMQ Classic 5.15.4. Thus, we need to upgrade to either ActiveMQ Classic 5.15.15 or 5.16.3, correct?
Thanks
Regards,
Rahman
-----Original Message-----
From: Justin Bertram <jb...@apache.org>
Sent: Wednesday, December 15, 2021 3:58 PM
To: users@activemq.apache.org
Subject: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
> Could we please get an official statement about ActiveMQ's security
> wrt
log4j?
To be clear, this [1] is the official statement you requested.
Justin
[1] https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fnews%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=mCVIgj8N5XWahk4qo5FyGuEmUJZ%2F%2BayKF7hY4zrKAEM%3D&reserved=0
On Mon, Dec 13, 2021 at 3:00 AM Lionel Cons <li...@cern.ch> wrote:
> Recently, a new critical vulnerability has been published for log4j:
> CVE-2021-44228.
>
> I've read different things from different sources.
>
> According to Red Hat (
> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Facce
> ss.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crah
> man.gunawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845
> be48ae8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbG
> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
> 3D%7C3000&sdata=wPtAF44YDYB2ZeRJeIN6DL8VfeqcY0wkKR%2BzDCkgA5U%3D&a
> mp;reserved=0 <
> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Facce
> ss.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wPtAF44YDYB2ZeRJeIN6DL8VfeqcY0wkKR%2BzDCkgA5U%3D&reserved=0>): "This issue only affects log4j versions between 2.0 and 2.14.1".
>
> According to GitHub
> (https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit
> hub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.g
> unawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48a
> e8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d
> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C
> 3000&sdata=N1%2F9pDKJM9B%2BBsUamqUJSsXM8zRVCCM4sNcEq94YLqE%3D&
> reserved=0 <
> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gu
> nawan%40nasa.gov%7Ce0da7bd14445426d0ff508d9c00db104%7C7005d45845be48ae
> 8140d43da96dd17b%7C0%7C0%7C637751987303690138%7CUnknown%7CTWFpbGZsb3d8
> eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3
> 000&sdata=N1%2F9pDKJM9B%2BBsUamqUJSsXM8zRVCCM4sNcEq94YLqE%3D&r
> eserved=0>): "Any Log4J version prior to v2.15.0 is affected to this
> specific issue." and, more explicitly, " The v1 branch of Log4J which
> is considered End Of Life (EOL) is vulnerable to other RCE vectors so
> the recommendation is to still update to
> 2.15.0 where possible.".
>
> It seems that ActiveMQ 5.16 uses log4j 1.2.17.
>
> Could we please get an official statement about ActiveMQ's security
> wrt log4j?
>
> Thanks!
>
> Lionel
Re: ActiveMQ 5.16 and log4j vulnerabilities
Posted by Justin Bertram <jb...@apache.org>.
> Could we please get an official statement about ActiveMQ’s security wrt
log4j?
To be clear, this [1] is the official statement you requested.
Justin
[1] https://activemq.apache.org/news/cve-2021-44228
On Mon, Dec 13, 2021 at 3:00 AM Lionel Cons <li...@cern.ch> wrote:
> Recently, a new critical vulnerability has been published for log4j:
> CVE-2021-44228.
>
> I’ve read different things from different sources.
>
> According to Red Hat (
> https://access.redhat.com/security/cve/cve-2021-44228 <
> https://access.redhat.com/security/cve/cve-2021-44228>): "This issue only
> affects log4j versions between 2.0 and 2.14.1”.
>
> According to GitHub (https://github.com/advisories/GHSA-jfh8-c2jp-5v3q <
> https://github.com/advisories/GHSA-jfh8-c2jp-5v3q>): "Any Log4J version
> prior to v2.15.0 is affected to this specific issue.” and, more explicitly,
> “ The v1 branch of Log4J which is considered End Of Life (EOL) is
> vulnerable to other RCE vectors so the recommendation is to still update to
> 2.15.0 where possible.”.
>
> It seems that ActiveMQ 5.16 uses log4j 1.2.17.
>
> Could we please get an official statement about ActiveMQ’s security wrt
> log4j?
>
> Thanks!
>
> Lionel
Re: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
Posted by Justin Bertram <jb...@apache.org>.
ActiveMQ 5.17.0 has not been released yet which is why you can't find it on
the website to download. Note that the website [1] refers to 5.17.0 as
"upcoming."
Justin
[1] https://activemq.apache.org/news/cve-2021-44228
On Wed, Dec 15, 2021 at 2:48 PM Gunawan, Rahman (GSFC-703.H)[BUSINESS
INTEGRA, INC.] <ra...@nasa.gov.invalid> wrote:
> I couldn't find ActiveMQ 5.17.x in
> https://activemq.apache.org/download-archives. Could you please let me
> know where I can download ActiveMQ 5.17?
>
> Thanks
>
> Regards,
> Rahman
>
> -----Original Message-----
> From: Jean-Baptiste Onofré <jb...@nanthrax.net>
> Sent: Monday, December 13, 2021 4:50 AM
> To: users@activemq.apache.org
> Subject: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
>
> Hi,
>
> I was about to send a message to the mailing list to give an update.
>
> 1. ActiveMQ is now using log4j 1.2.x, so, it's not impacted by the CVE
> 2021-44228. The other mentioned CVE only affects users using JMS appender,
> which is pretty rare.
> 2. ActiveMQ 5.17.x (main) will use log4j2, I have a PR about that. I'm
> updating to log4j 2.0.15 in this PR, addressing the CVE.
>
> Regards
> JB
>
> On 13/12/2021 09:59, Lionel Cons wrote:
> > Recently, a new critical vulnerability has been published for log4j:
> CVE-2021-44228.
> >
> > I've read different things from different sources.
> >
> > According to Red Hat (
> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0
> <
> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0>):
> "This issue only affects log4j versions between 2.0 and 2.14.1".
> >
> > According to GitHub (
> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0
> <
> https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0>):
> "Any Log4J version prior to v2.15.0 is affected to this specific issue."
> and, more explicitly, " The v1 branch of Log4J which is considered End Of
> Life (EOL) is vulnerable to other RCE vectors so the recommendation is to
> still update to 2.15.0 where possible.".
> >
> > It seems that ActiveMQ 5.16 uses log4j 1.2.17.
> >
> > Could we please get an official statement about ActiveMQ's security wrt
> log4j?
> >
> > Thanks!
> >
> > Lionel
> >
>
>
Re: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi,
Maybe I missed your message: 5.17.0 has not been released yet, it's
planned for Jan.
As reminder 5.16.x and 5.15.x are not impacted as they use log4j 1.x.
Regards
JB
On Wed, Dec 15, 2021 at 9:47 PM Gunawan, Rahman (GSFC-703.H)[BUSINESS
INTEGRA, INC.] <ra...@nasa.gov.invalid> wrote:
>
> I couldn't find ActiveMQ 5.17.x in https://activemq.apache.org/download-archives. Could you please let me know where I can download ActiveMQ 5.17?
>
> Thanks
>
> Regards,
> Rahman
>
> -----Original Message-----
> From: Jean-Baptiste Onofré <jb...@nanthrax.net>
> Sent: Monday, December 13, 2021 4:50 AM
> To: users@activemq.apache.org
> Subject: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
>
> Hi,
>
> I was about to send a message to the mailing list to give an update.
>
> 1. ActiveMQ is now using log4j 1.2.x, so, it's not impacted by the CVE 2021-44228. The other mentioned CVE only affects users using JMS appender, which is pretty rare.
> 2. ActiveMQ 5.17.x (main) will use log4j2, I have a PR about that. I'm updating to log4j 2.0.15 in this PR, addressing the CVE.
>
> Regards
> JB
>
> On 13/12/2021 09:59, Lionel Cons wrote:
> > Recently, a new critical vulnerability has been published for log4j: CVE-2021-44228.
> >
> > I've read different things from different sources.
> >
> > According to Red Hat (https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0 <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0>): "This issue only affects log4j versions between 2.0 and 2.14.1".
> >
> > According to GitHub (https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0 <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0>): "Any Log4J version prior to v2.15.0 is affected to this specific issue." and, more explicitly, " The v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.15.0 where possible.".
> >
> > It seems that ActiveMQ 5.16 uses log4j 1.2.17.
> >
> > Could we please get an official statement about ActiveMQ's security wrt log4j?
> >
> > Thanks!
> >
> > Lionel
> >
RE: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
Posted by "Gunawan, Rahman (GSFC-703.H)[BUSINESS INTEGRA, INC.]" <ra...@nasa.gov.INVALID>.
I couldn't find ActiveMQ 5.17.x in https://activemq.apache.org/download-archives. Could you please let me know where I can download ActiveMQ 5.17?
Thanks
Regards,
Rahman
-----Original Message-----
From: Jean-Baptiste Onofré <jb...@nanthrax.net>
Sent: Monday, December 13, 2021 4:50 AM
To: users@activemq.apache.org
Subject: [EXTERNAL] Re: ActiveMQ 5.16 and log4j vulnerabilities
Hi,
I was about to send a message to the mailing list to give an update.
1. ActiveMQ is now using log4j 1.2.x, so, it's not impacted by the CVE 2021-44228. The other mentioned CVE only affects users using JMS appender, which is pretty rare.
2. ActiveMQ 5.17.x (main) will use log4j2, I have a PR about that. I'm updating to log4j 2.0.15 in this PR, addressing the CVE.
Regards
JB
On 13/12/2021 09:59, Lionel Cons wrote:
> Recently, a new critical vulnerability has been published for log4j: CVE-2021-44228.
>
> I've read different things from different sources.
>
> According to Red Hat (https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0 <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2Fcve-2021-44228&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XojZEz7monZj4Ap6H3rvDaCkeILe384LMMOaAJ8SZ2o%3D&reserved=0>): "This issue only affects log4j versions between 2.0 and 2.14.1".
>
> According to GitHub (https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0 <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadvisories%2FGHSA-jfh8-c2jp-5v3q&data=04%7C01%7Crahman.gunawan%40nasa.gov%7Ccce80a4a5f1c4ef0568408d9be1e17dd%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637749858736988267%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MULevbPfjviCRdqKcTe2YCgTdnWbDgP8rm1huVlQ1jA%3D&reserved=0>): "Any Log4J version prior to v2.15.0 is affected to this specific issue." and, more explicitly, " The v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.15.0 where possible.".
>
> It seems that ActiveMQ 5.16 uses log4j 1.2.17.
>
> Could we please get an official statement about ActiveMQ's security wrt log4j?
>
> Thanks!
>
> Lionel
>
Aw: Re: Re: ActiveMQ 5.16 and log4j vulnerabilities
Posted by Benny K <Be...@gmx.net>.
Thank you very much! :-)
Gesendet: Montag, 13. Dezember 2021 um 15:16 Uhr
Von: "Domenico Francesco Bruscino" <br...@gmail.com>
An: users@activemq.apache.org
Betreff: Re: Re: ActiveMQ 5.16 and log4j vulnerabilities
Hi Benjamin,
ActiveMQ Artemis 2.17.0 depends on log4j 1.2 and it doesn't
use SocketServer so it's not impacted by those CVEs.
Regards,
Domenico
On Mon, 13 Dec 2021 at 12:28, Benny K <Be...@gmx.net> wrote:
> Hi there,
>
> we are using Active MQ Artemis Version 2.17.0
> - Are we affected of those CVE´s / Log4Shell?
> - How can we patch?
>
> Thanks and Best Regards
> Benjamin
>
>
>
>
>
> Gesendet: Montag, 13. Dezember 2021 um 11:04 Uhr
> Von: "Jean-Baptiste Onofré" <jb...@nanthrax.net>
> An: users@activemq.apache.org
> Betreff: Re: ActiveMQ 5.16 and log4j vulnerabilities
> My understanding is that CVE-2019-17571 only impact socket/JMS appender.
>
> "Included in Log4j 1.2 is a SocketServer class that is vulnerable to
> deserialization of untrusted data which can be exploited to remotely
> execute arbitrary code when combined with a deserialization gadget when
> listening to untrusted network traffic for log data."
>
> Regards
> JB
>
> On 13/12/2021 10:56, Vilius Šumskas wrote:
> > Hi,
> >
> > log4j 1.2 series are vulnerable to CVE-2019-17571 which has a CVSS score
> of 9.8. This needs to be addressed too.
> >
>
Re: Re: ActiveMQ 5.16 and log4j vulnerabilities
Posted by Domenico Francesco Bruscino <br...@gmail.com>.
Hi Benjamin,
ActiveMQ Artemis 2.17.0 depends on log4j 1.2 and it doesn't
use SocketServer so it's not impacted by those CVEs.
Regards,
Domenico
On Mon, 13 Dec 2021 at 12:28, Benny K <Be...@gmx.net> wrote:
> Hi there,
>
> we are using Active MQ Artemis Version 2.17.0
> - Are we affected of those CVE´s / Log4Shell?
> - How can we patch?
>
> Thanks and Best Regards
> Benjamin
>
>
>
>
>
> Gesendet: Montag, 13. Dezember 2021 um 11:04 Uhr
> Von: "Jean-Baptiste Onofré" <jb...@nanthrax.net>
> An: users@activemq.apache.org
> Betreff: Re: ActiveMQ 5.16 and log4j vulnerabilities
> My understanding is that CVE-2019-17571 only impact socket/JMS appender.
>
> "Included in Log4j 1.2 is a SocketServer class that is vulnerable to
> deserialization of untrusted data which can be exploited to remotely
> execute arbitrary code when combined with a deserialization gadget when
> listening to untrusted network traffic for log data."
>
> Regards
> JB
>
> On 13/12/2021 10:56, Vilius Šumskas wrote:
> > Hi,
> >
> > log4j 1.2 series are vulnerable to CVE-2019-17571 which has a CVSS score
> of 9.8. This needs to be addressed too.
> >
>
Aw: Re: ActiveMQ 5.16 and log4j vulnerabilities
Posted by Benny K <Be...@gmx.net>.
Hi there,
we are using Active MQ Artemis Version 2.17.0
- Are we affected of those CVE´s / Log4Shell?
- How can we patch?
Thanks and Best Regards
Benjamin
Gesendet: Montag, 13. Dezember 2021 um 11:04 Uhr
Von: "Jean-Baptiste Onofré" <jb...@nanthrax.net>
An: users@activemq.apache.org
Betreff: Re: ActiveMQ 5.16 and log4j vulnerabilities
My understanding is that CVE-2019-17571 only impact socket/JMS appender.
"Included in Log4j 1.2 is a SocketServer class that is vulnerable to
deserialization of untrusted data which can be exploited to remotely
execute arbitrary code when combined with a deserialization gadget when
listening to untrusted network traffic for log data."
Regards
JB
On 13/12/2021 10:56, Vilius Šumskas wrote:
> Hi,
>
> log4j 1.2 series are vulnerable to CVE-2019-17571 which has a CVSS score of 9.8. This needs to be addressed too.
>
Re: ActiveMQ 5.16 and log4j vulnerabilities
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
My understanding is that CVE-2019-17571 only impact socket/JMS appender.
"Included in Log4j 1.2 is a SocketServer class that is vulnerable to
deserialization of untrusted data which can be exploited to remotely
execute arbitrary code when combined with a deserialization gadget when
listening to untrusted network traffic for log data."
Regards
JB
On 13/12/2021 10:56, Vilius Šumskas wrote:
> Hi,
>
> log4j 1.2 series are vulnerable to CVE-2019-17571 which has a CVSS score of 9.8. This needs to be addressed too.
>
RE: ActiveMQ 5.16 and log4j vulnerabilities
Posted by Vilius Šumskas <v....@advantes.tech.INVALID>.
Hi,
log4j 1.2 series are vulnerable to CVE-2019-17571 which has a CVSS score of 9.8. This needs to be addressed too.
--
Vilius
-----Original Message-----
From: Jean-Baptiste Onofré <jb...@nanthrax.net>
Sent: Monday, December 13, 2021 11:50 AM
To: users@activemq.apache.org
Subject: Re: ActiveMQ 5.16 and log4j vulnerabilities
Hi,
I was about to send a message to the mailing list to give an update.
1. ActiveMQ is now using log4j 1.2.x, so, it's not impacted by the CVE 2021-44228. The other mentioned CVE only affects users using JMS appender, which is pretty rare.
2. ActiveMQ 5.17.x (main) will use log4j2, I have a PR about that. I'm updating to log4j 2.0.15 in this PR, addressing the CVE.
Regards
JB
On 13/12/2021 09:59, Lionel Cons wrote:
> Recently, a new critical vulnerability has been published for log4j: CVE-2021-44228.
>
> I’ve read different things from different sources.
>
> According to Red Hat (https://access.redhat.com/security/cve/cve-2021-44228 <https://access.redhat.com/security/cve/cve-2021-44228>): "This issue only affects log4j versions between 2.0 and 2.14.1”.
>
> According to GitHub (https://github.com/advisories/GHSA-jfh8-c2jp-5v3q <https://github.com/advisories/GHSA-jfh8-c2jp-5v3q>): "Any Log4J version prior to v2.15.0 is affected to this specific issue.” and, more explicitly, “ The v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.15.0 where possible.”.
>
> It seems that ActiveMQ 5.16 uses log4j 1.2.17.
>
> Could we please get an official statement about ActiveMQ’s security wrt log4j?
>
> Thanks!
>
> Lionel
>
Re: ActiveMQ 5.16 and log4j vulnerabilities
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi,
I was about to send a message to the mailing list to give an update.
1. ActiveMQ is now using log4j 1.2.x, so, it's not impacted by the CVE
2021-44228. The other mentioned CVE only affects users using JMS
appender, which is pretty rare.
2. ActiveMQ 5.17.x (main) will use log4j2, I have a PR about that. I'm
updating to log4j 2.0.15 in this PR, addressing the CVE.
Regards
JB
On 13/12/2021 09:59, Lionel Cons wrote:
> Recently, a new critical vulnerability has been published for log4j: CVE-2021-44228.
>
> I’ve read different things from different sources.
>
> According to Red Hat (https://access.redhat.com/security/cve/cve-2021-44228 <https://access.redhat.com/security/cve/cve-2021-44228>): "This issue only affects log4j versions between 2.0 and 2.14.1”.
>
> According to GitHub (https://github.com/advisories/GHSA-jfh8-c2jp-5v3q <https://github.com/advisories/GHSA-jfh8-c2jp-5v3q>): "Any Log4J version prior to v2.15.0 is affected to this specific issue.” and, more explicitly, “ The v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.15.0 where possible.”.
>
> It seems that ActiveMQ 5.16 uses log4j 1.2.17.
>
> Could we please get an official statement about ActiveMQ’s security wrt log4j?
>
> Thanks!
>
> Lionel
>