> In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why they want to migrate.
It's worth noting that CVE-2019-17571 doesn't impact ActiveMQ 5.x since it doesn't use the Log4j SocketServer. See more here [1]. Also, CVE-2021-4104 only affects Log4j 1.2 when it is specifically configured to use the JMSAppender (which is not enabled by default). In my opinion it would be quite odd to configure the logging for ActiveMQ to use the JMSAppender so your customer probably has nothing to worry about here. JB is managing the release of 5.17.0. I'm not sure how confident he is that it will be done by the end of the month. Justin [1] https://issues.apache.org/jira/browse/AMQ-7370 On Mon, Jan 3, 2022 at 11:41 AM Laurent Blanquet <lblanq...@b2btechno.net> wrote: > In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why > they want to migrate. > > Good news: we've obtained a deadline to 31/01/2022. > > Are you confident guys that we'll have the 5.17 release for this date or > do we have to develop some kind of patch ? > > Regards, > > Laurent > -----Message d'origine----- > De : Jean-Baptiste Onofré <j...@nanthrax.net> > Envoyé : lundi 3 janvier 2022 18:00 > À : dev@activemq.apache.org > Objet : Re: ActiveMQ 5.17 and log4j2 > > Log4j2 is only impacted, not log4j 1.x. > > It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell > vulnerability. > > Regards > JB > > On 03/01/2022 17:30, Xeno Amess wrote: > > Just show the log4j2 cve list to that customer, and persuade him no > hurry to migrate. > > > > XenoAmess > > ________________________________ > > From: JB Onofré <j...@nanthrax.net> > > Sent: Monday, January 3, 2022 11:31:30 PM > > To: dev@activemq.apache.org <dev@activemq.apache.org> > > Subject: Re: ActiveMQ 5.17 and log4j2 > > > > About 5.16 no way: it’s log4j 1.x > > > > And log4j 1.x is not impacted by log4shell vulnerability so no need to > update. > > > > Regards > > JB > > > >> Le 3 janv. 2022 à 16:00, Laurent Blanquet <lblanq...@b2btechno.net> a > écrit : > >> > >> Hi Guys, > >> > >> It seems that the latest version available is still using log4j 1.2.17. > >> > >> Unfortunately we have a customer who has a strong requisite to migrate > to log4j2 before 10 of January ! > >> > >> Is there a (simple) mean to force this version (or 5.16.3 ?) to use > log4j 2.17 ? > >> > >> Regards, > >> > >> Laurent > > >
