[
https://issues.apache.org/jira/browse/AMQ-8475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490063#comment-17490063
]
Robbie Gemmell commented on AMQ-8475:
-------------------------------------
No, that JIRA is not for ActiveMQ. When looking you would e.g restrict your
search to this JIRA project and find several:
https://issues.apache.org/jira/browse/AMQ-8472?jql=project%20%3D%20AMQ%20AND%20text%20~%20log4j%20ORDER%20BY%20updated%20DESC
AMQ-8472 and AMQ-7426 are the ones of interest. AMQ-8472 was actually already
completed just hours before you asked. I expect 5.16.4 will go under another
release vote soon (its first vote was started+cancelled last week as issues
were spotted, and switching to reload4j was then also included) once the
remaining niggles discovered are settled, which appears to be primarily
AMQ-8410 now.
> ActiveMQ uses log4j 1.2.17
> --------------------------
>
> Key: AMQ-8475
> URL: https://issues.apache.org/jira/browse/AMQ-8475
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.16.3
> Reporter: Alexei Yarilovets
> Priority: Major
> Labels: docker, logging, security-issue
>
> ActiveMQ server uses old log4j library with CVEs with critical severity
> Tested here:
> [https://search.maven.org/artifact/org.apache.activemq/activemq-all/5.16.3/jar]
> ActiveMQ uses log4j 1.2.17
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
