Hi JB and all,
@JB: It's very kind of you to propose to speak to the customer.
I will transmit your proposal and let you know.
From my vision, the security team of the company (big multinational) has
edicted a rule and will apply it blindly at the end of the month.
I have already tried to explain the situation to them with the following links :
https://activemq.apache.org/news/cve-2021-44228
https://lists.apache.org/thread/l3wsj723ojd0rfn2mo15so5jjhxs92sp
and propose to use this trick (tested on ActiveMQ 5.6.13) to avoid any setup
with simpleServer or JMSAppender :
https://stackoverflow.com/questions/70345869/how-to-mitigate-apache-log4j-deserialization-rce-cve-2019-17571
I'll keep you informed about the decision of my customer.
Many thx to all ... Apache rocks !
Laurent
-----Message d'origine-----
De : JB Onofré <[email protected]>
Envoyé : lundi 3 janvier 2022 19:03
À : [email protected]
Objet : Re: ActiveMQ 5.17 and log4j2
I don’t understand.
Again ActiveMQ 5.16 is NOT impacted by log4shell.
So why upgrading for that ?
And no, you won’t have 5.17.0 on 31/01 as I plan to start the vote on that
date.
I would rather explain to your customer that ActiveMQ still use log4j 1 and so
no need to update.
We already explained this several time on the mailing list.
If you want I can talk to you and your customer to explain and provide details.
Regards
JB
> Le 3 janv. 2022 à 18:35, Laurent Blanquet <[email protected]> a écrit :
>
> In deed, they invoke CVE-2021-4104 + CVE-2019-17571 as the reasons why they
> want to migrate.
>
> Good news: we've obtained a deadline to 31/01/2022.
>
> Are you confident guys that we'll have the 5.17 release for this date or do
> we have to develop some kind of patch ?
>
> Regards,
>
> Laurent
> -----Message d'origine-----
> De : Jean-Baptiste Onofré <[email protected]> Envoyé : lundi 3 janvier
> 2022 18:00 À : [email protected] Objet : Re: ActiveMQ 5.17 and
> log4j2
>
> Log4j2 is only impacted, not log4j 1.x.
>
> It's what I meant: ActiveMQ 5.16.x/5.15.x are not affected by log4shell
> vulnerability.
>
> Regards
> JB
>
>> On 03/01/2022 17:30, Xeno Amess wrote:
>> Just show the log4j2 cve list to that customer, and persuade him no hurry to
>> migrate.
>>
>> XenoAmess
>> ________________________________
>> From: JB Onofré <[email protected]>
>> Sent: Monday, January 3, 2022 11:31:30 PM
>> To: [email protected] <[email protected]>
>> Subject: Re: ActiveMQ 5.17 and log4j2
>>
>> About 5.16 no way: it’s log4j 1.x
>>
>> And log4j 1.x is not impacted by log4shell vulnerability so no need to
>> update.
>>
>> Regards
>> JB
>>
>>>> Le 3 janv. 2022 à 16:00, Laurent Blanquet <[email protected]> a
>>>> écrit :
>>>
>>> Hi Guys,
>>>
>>> It seems that the latest version available is still using log4j 1.2.17.
>>>
>>> Unfortunately we have a customer who has a strong requisite to migrate to
>>> log4j2 before 10 of January !
>>>
>>> Is there a (simple) mean to force this version (or 5.16.3 ?) to use log4j
>>> 2.17 ?
>>>
>>> Regards,
>>>
>>> Laurent
>>
