Yes, I think the same. As already noted, ActiveMQ 5.8.0 doesn't use any version of the vulnerable library (i.e. Log4j2 <=2.14.1).
Justin On Tue, Dec 14, 2021 at 1:46 PM Martin Piattini <mpiatt...@pkglobal.com> wrote: > Hi > Looking more details the vulnerability is in: > > Library versions Log4j 2.x (below than 2.15.0) are affected > Library versions Log4j 1.x are not affected > The issue has been resolved in log4j version 2.15.0 or higher > > And ActiveMQ 5 suppouse use: Log4j 1.2.x then is not affected.... > > Do you think the same? > > Thanks > Regards > Martin > > > > > ____________________________________________ > > Martin Piattini Velthuis, PMP - SAP CPI/PO/PI Consultant > > PK – the Experience Engineering firm > > M + 54 9 11 5644-8108 > > mpiatt...@pkglobal.com<mailto:xxxxx...@pkglobal.com> > > > > ________________________________ > De: Martin Piattini > Enviado: martes, 14 de diciembre de 2021 16:03 > Para: dev@activemq.apache.org <dev@activemq.apache.org> > Asunto: log4j (CVE-2021-44228) vulnerability and ActiveMQ 5.8.0 > > Hi > In a client I am working they use SAP PO and ActiveMQ 5.8.0 for some years. > Now we receive a note for the "log4j (CVE-2021-44228) vulnerability" and > checking the SAP O and the version of ActiveMQ 5.8.0 has this vulnerability. > For SAP PO SAP sent a fix today to solve the issue. > For ActiveMQ we think probably new version of ActiveMQ will solve it? > But also need to be compatible with SAP PO. > > So I ask the community here to some advice. > If someone already encounter this issue and solved it and also some > evidence of the issue fix by ActiveMq (some doc or note) to justified the > upgrade. > > Thanks! > Regards > Martin > > ____________________________________________ > > Martin Piattini Velthuis, PMP - SAP CPI/PO/PI Consultant > > PK – the Experience Engineering firm > > M + 54 9 11 5644-8108 > > mpiatt...@pkglobal.com<mailto:xxxxx...@pkglobal.com> > > > >
