[ 
https://issues.apache.org/jira/browse/AMQ-8449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Christopher L. Shannon closed AMQ-8449.
---------------------------------------
    Resolution: Duplicate

Closing this as a duplicate as there's already been a ton of discussion on this 
and Jiras opened.

Information about Log4j 1.x, the upgrade to 2.x and how the CVEs affect AMQ 
have been answered over and over again (I've lost count how many times) on the 
mailing lists already.

You can get info on the mailing lists here: https://activemq.apache.org/contact

There's also information here: https://activemq.apache.org/news/cve-2021-44228

> apache-activemq-5.16.3 - How to upgrade Log4j-1.2.17.1 to Log4J 2.x to fix 
> log4j related security issue
> -------------------------------------------------------------------------------------------------------
>
>                 Key: AMQ-8449
>                 URL: https://issues.apache.org/jira/browse/AMQ-8449
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: AMQP
>    Affects Versions: 5.16.3
>         Environment: log4j-1.2.17.1.jar file exists in 
> "apache-activemq-5.16.3\lib\optional" folder which was flagged by security 
> team for vulnerability issue...
> Please advice how to upgrade this to the latest log4j 2.x to fix 
> vulnerability issues.
>            Reporter: Srinivasa Yadlapalli
>            Priority: Critical
>
> log4j-1.2.17.1.jar file exists in "apache-activemq-5.16.3\lib\optional" 
> folder which was flagged by security team for vulnerability issue...
> Please advice how to upgrade this to the latest log4j 2.x to fix 
> vulnerability issues.
> The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to 
> Deserialization of Untrusted Data. The configureHierarchy and 
> genericHierarchy methods in SocketServer.class do not verify if the file at a 
> given file path contains any untrusted objects prior to deserializing them. A 
> remote attacker can exploit this vulnerability by providing a path to crafted 
> files, which result in arbitrary code execution when deserialized. 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to