[ https://issues.apache.org/jira/browse/AMQ-8449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Srinivasa Yadlapalli reopened AMQ-8449: --------------------------------------- > apache-activemq-5.16.3 - How to upgrade Log4j-1.2.17.1 to Log4J 2.x to fix > log4j related security issue > ------------------------------------------------------------------------------------------------------- > > Key: AMQ-8449 > URL: https://issues.apache.org/jira/browse/AMQ-8449 > Project: ActiveMQ > Issue Type: Bug > Components: AMQP > Affects Versions: 5.16.3 > Environment: log4j-1.2.17.1.jar file exists in > "apache-activemq-5.16.3\lib\optional" folder which was flagged by security > team for vulnerability issue... > Please advice how to upgrade this to the latest log4j 2.x to fix > vulnerability issues. > Reporter: Srinivasa Yadlapalli > Priority: Critical > > log4j-1.2.17.1.jar file exists in "apache-activemq-5.16.3\lib\optional" > folder which was flagged by security team for vulnerability issue... > Please advice how to upgrade this to the latest log4j 2.x to fix > vulnerability issues. > The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to > Deserialization of Untrusted Data. The configureHierarchy and > genericHierarchy methods in SocketServer.class do not verify if the file at a > given file path contains any untrusted objects prior to deserializing them. A > remote attacker can exploit this vulnerability by providing a path to crafted > files, which result in arbitrary code execution when deserialized. -- This message was sent by Atlassian Jira (v8.20.1#820001)