You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Benny K <Be...@gmx.net> on 2021/12/13 13:39:48 UTC
ActiveMQ 5.8.0 & Active MQ Artemis 2.17.0: log4j vulnerabilities?
Hi all,
we have two different Active MQ versions in production-use:
- Active MQ 5.8.0
- Active MQ Artemis 2.17.0
is it right that they both are using log4j-1.2.17 and they are NOT affected by the log4j vulnerability / "log4shell"?
Any help would be really great. :-)
Thanks and Best Regards
Benjamin
Aw: Re: ActiveMQ 5.8.0 & Active MQ Artemis 2.17.0: log4j vulnerabilities?
Posted by Benny K <Be...@gmx.net>.
Thanks a lot! :-)
Gesendet: Montag, 13. Dezember 2021 um 14:49 Uhr
Von: "Jean-Baptiste Onofré" <jb...@nanthrax.net>
An: users@activemq.apache.org
Betreff: Re: ActiveMQ 5.8.0 & Active MQ Artemis 2.17.0: log4j vulnerabilities?
Hi,
I already answered the question about ActiveMQ (not Artemis).
So, ActiveMQ is using log4j 1.x, so it's not affected by CVE-2021-44228.
Regards
JB
On 13/12/2021 14:39, Benny K wrote:
> Hi all,
>
> we have two different Active MQ versions in production-use:
>
> - Active MQ 5.8.0
> - Active MQ Artemis 2.17.0
>
> is it right that they both are using log4j-1.2.17 and they are NOT affected by the log4j vulnerability / "log4shell"?
>
> Any help would be really great. :-)
>
> Thanks and Best Regards
> Benjamin
>
>
Re: ActiveMQ 5.8.0 & Active MQ Artemis 2.17.0: log4j vulnerabilities?
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi,
I already answered the question about ActiveMQ (not Artemis).
So, ActiveMQ is using log4j 1.x, so it's not affected by CVE-2021-44228.
Regards
JB
On 13/12/2021 14:39, Benny K wrote:
> Hi all,
>
> we have two different Active MQ versions in production-use:
>
> - Active MQ 5.8.0
> - Active MQ Artemis 2.17.0
>
> is it right that they both are using log4j-1.2.17 and they are NOT affected by the log4j vulnerability / "log4shell"?
>
> Any help would be really great. :-)
>
> Thanks and Best Regards
> Benjamin
>
>
Re: ActiveMQ 5.8.0 & Active MQ Artemis 2.17.0: log4j vulnerabilities?
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi,
Agree: we just talked about that with Justin.
I will prepare a PR for website to clearly state ActiveMQ in regards of
log4j2 vulnerability.
Regards
JB
On 13/12/2021 16:13, Eugene Vigoutov wrote:
> We are using 5.16 version
> Seems like it is using log4j 1.2.17 which Is not vulnerable
> I think that posting the versions and the status (infected/not infected) will be great help
>
> From: Chittaranjan Panda <Ch...@hotmail.com>
> Sent: Monday, 13 December 2021 16:32
> To: users@activemq.apache.org
> Subject: Re: ActiveMQ 5.8.0 & Active MQ Artemis 2.17.0: log4j vulnerabilities?
>
> [https://s3.amazonaws.com/staticmediafiles/media/sights/iron-icon-color.png]
> IRONSCALES couldn't recognize this email as this is the first time you received an email from this sender Chittaranjan@hotmail.com<ma...@hotmail.com>
>
> Hi,
>
> Is Apache Artemis 2.18.0 is affected by log4j vulnerability ?
>
>
>
> I found in dependencies it uses jboss-logging (
> https://mvnrepository.com/artifact/org.jboss.logging/jboss-logging/3.4.2.Final
> )
> which contains log4j-api 2.11.2 and log4j 1.2.16 and in test dependencies
> uses log4j-core 2.11.2.
>
>
>
> Any help and clarification on this topic.
>
>
>
> Thank you in advance
>
> On Mon, Dec 13, 2021 at 7:46 PM Justin Bertram wrote:
>
>> ActiveMQ Artemis doesn't use/ship any version of Log4J so CVE-2021-44228
>> doesn't impact it.
>>
>>
>> Justin
>>
>> On Mon, Dec 13, 2021 at 7:40 AM Benny K wrote:
>>
>>> Hi all,
>>>
>>> we have two different Active MQ versions in production-use:
>>>
>>> - Active MQ 5.8.0
>>> - Active MQ Artemis 2.17.0
>>>
>>> is it right that they both are using log4j-1.2.17 and they are NOT
>>> affected by the log4j vulnerability / "log4shell"?
>>>
>>> Any help would be really great. :-)
>>>
>>> Thanks and Best Regards
>>> Benjamin
>>>
>>>
>>>
>>
>
RE: ActiveMQ 5.8.0 & Active MQ Artemis 2.17.0: log4j vulnerabilities?
Posted by Eugene Vigoutov <Eu...@checkmarx.com>.
We are using 5.16 version
Seems like it is using log4j 1.2.17 which Is not vulnerable
I think that posting the versions and the status (infected/not infected) will be great help
From: Chittaranjan Panda <Ch...@hotmail.com>
Sent: Monday, 13 December 2021 16:32
To: users@activemq.apache.org
Subject: Re: ActiveMQ 5.8.0 & Active MQ Artemis 2.17.0: log4j vulnerabilities?
[https://s3.amazonaws.com/staticmediafiles/media/sights/iron-icon-color.png]
IRONSCALES couldn't recognize this email as this is the first time you received an email from this sender Chittaranjan@hotmail.com<ma...@hotmail.com>
Hi,
Is Apache Artemis 2.18.0 is affected by log4j vulnerability ?
I found in dependencies it uses jboss-logging (
https://mvnrepository.com/artifact/org.jboss.logging/jboss-logging/3.4.2.Final
)
which contains log4j-api 2.11.2 and log4j 1.2.16 and in test dependencies
uses log4j-core 2.11.2.
Any help and clarification on this topic.
Thank you in advance
On Mon, Dec 13, 2021 at 7:46 PM Justin Bertram wrote:
> ActiveMQ Artemis doesn't use/ship any version of Log4J so CVE-2021-44228
> doesn't impact it.
>
>
> Justin
>
> On Mon, Dec 13, 2021 at 7:40 AM Benny K wrote:
>
> > Hi all,
> >
> > we have two different Active MQ versions in production-use:
> >
> > - Active MQ 5.8.0
> > - Active MQ Artemis 2.17.0
> >
> > is it right that they both are using log4j-1.2.17 and they are NOT
> > affected by the log4j vulnerability / "log4shell"?
> >
> > Any help would be really great. :-)
> >
> > Thanks and Best Regards
> > Benjamin
> >
> >
> >
>
Re: ActiveMQ 5.8.0 & Active MQ Artemis 2.17.0: log4j vulnerabilities?
Posted by Domenico Francesco Bruscino <br...@gmail.com>.
Justin has already clarified that ActiveMQ Artemis doesn't use/ship any
version of Log4J, its binary package doesn't include tests and their
dependencies, so it isn't affected by those log4j vulnerabilities.
On Mon, 13 Dec 2021 at 15:52, Chittaranjan Panda <Ch...@hotmail.com>
wrote:
> Hi,
>
> Is Apache Artemis 2.18.0 is affected by log4j vulnerability ?
>
>
>
> I found in dependencies it uses jboss-logging (
>
> https://mvnrepository.com/artifact/org.jboss.logging/jboss-logging/3.4.2.Final
> )
> which contains log4j-api 2.11.2 and log4j 1.2.16 and in test dependencies
> uses log4j-core 2.11.2.
>
>
>
> Any help and clarification on this topic.
>
>
>
> Thank you in advance
>
> On Mon, Dec 13, 2021 at 7:46 PM Justin Bertram <jb...@apache.org>
> wrote:
>
> > ActiveMQ Artemis doesn't use/ship any version of Log4J so CVE-2021-44228
> > doesn't impact it.
> >
> >
> > Justin
> >
> > On Mon, Dec 13, 2021 at 7:40 AM Benny K <Be...@gmx.net> wrote:
> >
> > > Hi all,
> > >
> > > we have two different Active MQ versions in production-use:
> > >
> > > - Active MQ 5.8.0
> > > - Active MQ Artemis 2.17.0
> > >
> > > is it right that they both are using log4j-1.2.17 and they are NOT
> > > affected by the log4j vulnerability / "log4shell"?
> > >
> > > Any help would be really great. :-)
> > >
> > > Thanks and Best Regards
> > > Benjamin
> > >
> > >
> > >
> >
>
Re: ActiveMQ 5.8.0 & Active MQ Artemis 2.17.0: log4j vulnerabilities?
Posted by Chittaranjan Panda <Ch...@hotmail.com>.
Hi,
Is Apache Artemis 2.18.0 is affected by log4j vulnerability ?
I found in dependencies it uses jboss-logging (
https://mvnrepository.com/artifact/org.jboss.logging/jboss-logging/3.4.2.Final
)
which contains log4j-api 2.11.2 and log4j 1.2.16 and in test dependencies
uses log4j-core 2.11.2.
Any help and clarification on this topic.
Thank you in advance
On Mon, Dec 13, 2021 at 7:46 PM Justin Bertram <jb...@apache.org> wrote:
> ActiveMQ Artemis doesn't use/ship any version of Log4J so CVE-2021-44228
> doesn't impact it.
>
>
> Justin
>
> On Mon, Dec 13, 2021 at 7:40 AM Benny K <Be...@gmx.net> wrote:
>
> > Hi all,
> >
> > we have two different Active MQ versions in production-use:
> >
> > - Active MQ 5.8.0
> > - Active MQ Artemis 2.17.0
> >
> > is it right that they both are using log4j-1.2.17 and they are NOT
> > affected by the log4j vulnerability / "log4shell"?
> >
> > Any help would be really great. :-)
> >
> > Thanks and Best Regards
> > Benjamin
> >
> >
> >
>
Re: ActiveMQ 5.8.0 & Active MQ Artemis 2.17.0: log4j vulnerabilities?
Posted by Justin Bertram <jb...@apache.org>.
ActiveMQ Artemis doesn't use/ship any version of Log4J so CVE-2021-44228
doesn't impact it.
Justin
On Mon, Dec 13, 2021 at 7:40 AM Benny K <Be...@gmx.net> wrote:
> Hi all,
>
> we have two different Active MQ versions in production-use:
>
> - Active MQ 5.8.0
> - Active MQ Artemis 2.17.0
>
> is it right that they both are using log4j-1.2.17 and they are NOT
> affected by the log4j vulnerability / "log4shell"?
>
> Any help would be really great. :-)
>
> Thanks and Best Regards
> Benjamin
>
>
>