In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why they want to migrate.
Good news: we've obtained a deadline to 31/01/2022. Are you confident guys that we'll have the 5.17 release for this date or do we have to develop some kind of patch ? Regards, Laurent -----Message d'origine----- De : Jean-Baptiste Onofré <[email protected]> Envoyé : lundi 3 janvier 2022 18:00 À : [email protected] Objet : Re: ActiveMQ 5.17 and log4j2 Log4j2 is only impacted, not log4j 1.x. It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell vulnerability. Regards JB On 03/01/2022 17:30, Xeno Amess wrote: > Just show the log4j2 cve list to that customer, and persuade him no hurry to > migrate. > > XenoAmess > ________________________________ > From: JB Onofré <[email protected]> > Sent: Monday, January 3, 2022 11:31:30 PM > To: [email protected] <[email protected]> > Subject: Re: ActiveMQ 5.17 and log4j2 > > About 5.16 no way: it’s log4j 1.x > > And log4j 1.x is not impacted by log4shell vulnerability so no need to update. > > Regards > JB > >> Le 3 janv. 2022 à 16:00, Laurent Blanquet <[email protected]> a écrit : >> >> Hi Guys, >> >> It seems that the latest version available is still using log4j 1.2.17. >> >> Unfortunately we have a customer who has a strong requisite to migrate to >> log4j2 before 10 of January ! >> >> Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j >> 2.17 ? >> >> Regards, >> >> Laurent >
