[ https://issues.apache.org/jira/browse/AMQ-8475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490063#comment-17490063 ]
Robbie Gemmell commented on AMQ-8475: ------------------------------------- No, that JIRA is not for ActiveMQ. When looking you would e.g restrict your search to this JIRA project and find several: https://issues.apache.org/jira/browse/AMQ-8472?jql=project%20%3D%20AMQ%20AND%20text%20~%20log4j%20ORDER%20BY%20updated%20DESC AMQ-8472 and AMQ-7426 are the ones of interest. AMQ-8472 was actually already completed just hours before you asked. I expect 5.16.4 will go under another release vote soon (its first vote was started+cancelled last week as issues were spotted, and switching to reload4j was then also included) once the remaining niggles discovered are settled, which appears to be primarily AMQ-8410 now. > ActiveMQ uses log4j 1.2.17 > -------------------------- > > Key: AMQ-8475 > URL: https://issues.apache.org/jira/browse/AMQ-8475 > Project: ActiveMQ > Issue Type: Bug > Affects Versions: 5.16.3 > Reporter: Alexei Yarilovets > Priority: Major > Labels: docker, logging, security-issue > > ActiveMQ server uses old log4j library with CVEs with critical severity > Tested here: > [https://search.maven.org/artifact/org.apache.activemq/activemq-all/5.16.3/jar] > ActiveMQ uses log4j 1.2.17 -- This message was sent by Atlassian Jira (v8.20.1#820001)