Apache ActiveMQ 5.16.4, reload4j and more
Apache ActiveMQ 5.16.4 has just been released. This release is an important one on ActiveMQ 5.16.x series, bringing several important changes/fixes. Reload4j replaces log4j Apache ActiveMQ 5.16.3 is using log4j 1.x. If this log4j version is not impacted by log4shell vulnerability, it's affected by several security issue. reload4j ( https://reload4j.qos.ch/ ) is a fork of log4j 1.2.17 with the goal of fixing pressing security issues. Apache ActiveMQ 5.16.4 now uses reload4j 1.2.19, bringing the following security fixes compared to log4j 1.2.17: CVE-2021-4104 (JMSAppender) CVE-2022-23302 (JMSSink) CVE-2019-17571 (SocketServer) CVE-2020-9493 and CVE-2022-23307 (Chainsaw) 2022-23305 (JDBCAppender) broken MDC in newer JDKs XML entity injection attack CVE-2020-9488 (SMTPAppender) There's no impact for users: the conf/log4j.properties configuration file is the same as before, just the jar files changed. If ActiveMQ 5.17.x will use log4j 2.x, ActiveMQ