[ 
https://issues.apache.org/jira/browse/AMQ-8475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490063#comment-17490063
 ] 

Robbie Gemmell commented on AMQ-8475:
-------------------------------------

No, that JIRA is not for ActiveMQ. When looking you would e.g restrict your 
search to this JIRA project and find several: 
https://issues.apache.org/jira/browse/AMQ-8472?jql=project%20%3D%20AMQ%20AND%20text%20~%20log4j%20ORDER%20BY%20updated%20DESC

AMQ-8472 and AMQ-7426 are the ones of interest. AMQ-8472 was actually already 
completed just hours before you asked. I expect 5.16.4 will go under another 
release vote soon (its first vote was started+cancelled last week as issues 
were spotted, and switching to reload4j was then also included) once the 
remaining niggles discovered are settled, which appears to be primarily 
AMQ-8410 now.

> ActiveMQ uses log4j 1.2.17
> --------------------------
>
>                 Key: AMQ-8475
>                 URL: https://issues.apache.org/jira/browse/AMQ-8475
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.16.3
>            Reporter: Alexei Yarilovets
>            Priority: Major
>              Labels: docker, logging, security-issue
>
> ActiveMQ server uses old log4j library with CVEs with critical severity
> Tested here:
> [https://search.maven.org/artifact/org.apache.activemq/activemq-all/5.16.3/jar]
> ActiveMQ uses log4j 1.2.17



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to