Showing posts from February, 2022

Apache ActiveMQ 5.16.4, reload4j and more

Apache ActiveMQ 5.16.4 has just been released. This release is an important one on ActiveMQ 5.16.x series, bringing several important changes/fixes. Reload4j replaces log4j Apache ActiveMQ 5.16.3 is using log4j 1.x. If this log4j version is not impacted by log4shell vulnerability, it's affected by several security issue. reload4j ( ) is a fork of log4j 1.2.17 with the goal of fixing pressing security issues. Apache ActiveMQ 5.16.4 now uses reload4j 1.2.19, bringing the following security fixes compared to log4j 1.2.17: CVE-2021-4104 (JMSAppender) CVE-2022-23302 (JMSSink) CVE-2019-17571 (SocketServer) CVE-2020-9493 and CVE-2022-23307 (Chainsaw) 2022-23305 (JDBCAppender) broken MDC in newer JDKs XML entity injection attack CVE-2020-9488 (SMTPAppender) There's no impact for users: the conf/ configuration file is the same as before, just the jar files changed. If ActiveMQ 5.17.x will use log4j 2.x, ActiveMQ