Apache ActiveMQ 5.16.4, reload4j and more

Apache ActiveMQ 5.16.4 has just been released.

This release is an important one on ActiveMQ 5.16.x series, bringing several important changes/fixes.

Reload4j replaces log4j

Apache ActiveMQ 5.16.3 is using log4j 1.x. If this log4j version is not impacted by log4shell vulnerability, it's affected by several security issue.

reload4j (https://reload4j.qos.ch/) is a fork of log4j 1.2.17 with the goal of fixing pressing security issues.

Apache ActiveMQ 5.16.4 now uses reload4j 1.2.19, bringing the following security fixes compared to log4j 1.2.17:

  • CVE-2021-4104 (JMSAppender)
  • CVE-2022-23302 (JMSSink)
  • CVE-2019-17571 (SocketServer)
  • CVE-2020-9493 and CVE-2022-23307 (Chainsaw)
  • 2022-23305 (JDBCAppender)
  • broken MDC in newer JDKs
  • XML entity injection attack
  • CVE-2020-9488 (SMTPAppender)

There's no impact for users: the conf/log4j.properties configuration file is the same as before, just the jar files changed.

If ActiveMQ 5.17.x will use log4j 2.x, ActiveMQ 5.16.x is now "clean" with log4j known vulnerabilities thanks to reload4j.

Upgrade to xerces 2.12.2

In order to fix CVE-2022-23437 (Infinite loop within Apache XercesJ xml parser), Apache ActiveMQ 5.16.4 upgraded to Apache Xerces 2.12.2.

Well-formed response

Up to Apache ActiveMQ 5.16.3, clients get an IOException when a sent message is too large. It prevents the clients to cleanly process the message and even know that the message is actually too large.

Apache ActiveMQ 5.16.4 improves this by using the maxFrameSize and then return a well-formed response.

Fix unexpected character in STOMP header

When using STOMP 1.2 protocol, it's possible to have escapes sequence in the header: https://stomp.github.io/stomp-specification-1.2.html#Value_Encoding.

Up to Apache ActiveMQ 5.16.3, when the escape sequence \r is used in SEND frame header values, it will be received as \\r in incoming MESSAGE frames, which is unexpected.

Apache ActiveMQ 5.16.4 fixes that with both \r in SEND and MESSAGE.

Better JDK16 support

Apache ActiveMQ 5.16.4 brings improvements on the JDK16 runtime support, both in the bin/activemq script, code (fixing warning about SSL), and dependencies (upgrading to ASM 9.2).

And much more!

Apache ActiveMQ 5.16.4 also includes bunch of other updates and fixes. You can take a look on the Release Notes for details.


Popular posts from this blog

Apache Karaf runtime 4.4.0 has been released!

Apache ActiveMQ 5.16.3 has been released

Apache Karaf and log4j2 appenders