To whom it may concern,
as a intensive user of the Apache technology in our enterprise architecture and product portfolio I may draw your attention to a critical issue. Based on the known vulnerability CVE-2021-44228 in the Log4j Version 2 many of our large enterprise customers (e.g. Volkswagen Financial Services) are becoming very sensitive for the risk of using software elements not under maintenance. Unfortunately we have this situation with the message broker ActiveMQ "Classic" (the latest versions 5.15.15 and 5.16.3) as there is an embedded use of the Log4j version 1.2.17. The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) use Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, as Log4j 1.2.17 has not been maintained since August 2015. (Here an existing security vulnerability, (CVE-2019-17571) is not fixed with the note "Users are urged to upgrade to Log4j 2".) This situation will not be accepted by a number of large customers, which demand a timely exchange of this component to the officially released new Log4j version 2. Therefore we ask you kindly to name and communicate an official release date for ActiveMQ 5.17.0 (including the Log4j version 2). A timely answer is really appreciated as we think this could mitigate negative responses and create a positive feedback from the market. Best regards Ralf Knöringer Senior Manager Big Data & Cybersecurity - IAM M: +49 172 5229705 Otto-Hahn-Ring 6, 81739 Munich - Germany atos.net<https://atos.net/> Atos Information Technology GmbH; Geschäftsführung: Udo Littke, Boris Hecker; Vorsitzender des Aufsichtsrats: N.N.; Sitz der Gesellschaft: München; Registergericht: Amtsgericht München, HRB 235509 Atos Information Technology GmbH; Managing Directors: Udo Littke, Boris Hecker; Chairman of the Supervisory Board: N.N.; Registered office: Munich; Commercial register of the local court of Munich, HRB 235509 Important notice: This e-mail and any attachment thereof contain corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank you.
