You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2021/12/16 16:24:00 UTC

[jira] [Commented] (ARTEMIS-3611) update to most recent log4j

    [ https://issues.apache.org/jira/browse/ARTEMIS-3611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460846#comment-17460846 ] 

Justin Bertram commented on ARTEMIS-3611:
-----------------------------------------

ActiveMQ Artemis doesn't _directly_ include or depend upon any version of Log4j for any reason. The Log4j archive is only included in the binary distribution because we ship a Hawtio-based console and the Log4j archive is included in the underlying Hawtio WAR file.  ActiveMQ doesn't control the Log4j version shipped in Hawtio. The Hawtio project controls that. 

We currently use Hawtio 2.14.0 which in turn uses Log4j 1.2.17. Recently Hawtio 2.14.1 [moved to Log4j 2.14.0|https://github.com/hawtio/hawtio/commit/dc1639293b42587ea1bcc6eae9186646632feb5d] and [then to Log4j 2.15.0|https://github.com/hawtio/hawtio/commit/afafdffb937a25223347f0f26fdd9259d6ac758e] in Hawtio 2.14.2 after the CVE was announced.

In any case, the Hawtio code actually uses SLF4J so even it has no hard dependency on Log4j. When running in ActiveMQ Artemis the Log4j archive won't actually be used due to the broker's own logging configuration.

> update to most recent log4j
> ---------------------------
>
>                 Key: ARTEMIS-3611
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3611
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: Web Console
>            Reporter: arne anka
>            Priority: Major
>
> While not vulnerable to the recently published issue, the web console still uses log4j 1.2.x – which is long out of support and sports a longish list of unfixed issues, and thus vulnerabilities.
> Given that log4j 1.2.x is also an apache project, it is disturbing that its EOL more than 6 years ago seems not to have been noticed nor acted upon.
> It should as soon as possible be updated to a secure version.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)