Re: log4j (CVE-2021-44228) vulnerability and ActiveMQ 5.8.0

Tue, 14 Dec 2021 13:12:56 -0800 

On 12/14/21 3:05 PM, Justin Bertram wrote:

Yes, I think the same. As already noted, ActiveMQ 5.8.0 doesn't use any
version of the vulnerable library (i.e. Log4j2 <=2.14.1).



It's also worth noting that ActiveMQ 5.x uses slf4j as the primary 
logging facade so if you don't like the default log4j used by the 
packaged broker you are free to substitute in another logging binding 
that meets your needs.






Justin

On Tue, Dec 14, 2021 at 1:46 PM Martin Piattini <mpiatt...@pkglobal.com>
wrote:


Hi
Looking more details the vulnerability is in:

Library versions Log4j 2.x (below than 2.15.0) are affected
Library versions Log4j 1.x are not affected
The issue has been resolved in log4j version 2.15.0 or higher

And ActiveMQ 5 suppouse use: Log4j 1.2.x then is not affected....

Do you think the same?

Thanks
Regards
Martin




____________________________________________

Martin Piattini Velthuis, PMP - SAP CPI/PO/PI Consultant

PK – the Experience Engineering firm

M + 54 9 11 5644-8108

mpiatt...@pkglobal.com<mailto:xxxxx...@pkglobal.com>



________________________________
De: Martin Piattini
Enviado: martes, 14 de diciembre de 2021 16:03
Para: dev@activemq.apache.org <dev@activemq.apache.org>
Asunto: log4j (CVE-2021-44228) vulnerability and ActiveMQ 5.8.0

Hi
In a client I am working they use SAP PO and ActiveMQ 5.8.0 for some years.
Now we receive a note for the "log4j (CVE-2021-44228) vulnerability" and
checking the SAP O and the version of ActiveMQ 5.8.0 has this vulnerability.
For SAP PO SAP sent a fix today to solve the issue.
For ActiveMQ we think probably new version of ActiveMQ will solve it?
But also need to be compatible with SAP PO.

So I ask the community here to some advice.
If someone already encounter this issue and solved it and also some
evidence of the issue fix by ActiveMq (some doc or note) to justified the
upgrade.

Thanks!
Regards
Martin

____________________________________________

Martin Piattini Velthuis, PMP - SAP CPI/PO/PI Consultant

PK – the Experience Engineering firm

M + 54 9 11 5644-8108

mpiatt...@pkglobal.com<mailto:xxxxx...@pkglobal.com>






--
Tim Bish























					Reply via email to