Recently, a new critical vulnerability has been published for log4j: CVE-2021-44228.
I’ve read different things from different sources. According to Red Hat (https://access.redhat.com/security/cve/cve-2021-44228 <https://access.redhat.com/security/cve/cve-2021-44228>): "This issue only affects log4j versions between 2.0 and 2.14.1”. According to GitHub (https://github.com/advisories/GHSA-jfh8-c2jp-5v3q <https://github.com/advisories/GHSA-jfh8-c2jp-5v3q>): "Any Log4J version prior to v2.15.0 is affected to this specific issue.” and, more explicitly, “ The v1 branch of Log4J which is considered End Of Life (EOL) is vulnerable to other RCE vectors so the recommendation is to still update to 2.15.0 where possible.”. It seems that ActiveMQ 5.16 uses log4j 1.2.17. Could we please get an official statement about ActiveMQ’s security wrt log4j? Thanks! Lionel
