Apache ActiveMQ 5.16.4, reload4j and more

Apache ActiveMQ 5.16.4 has just been released.

This release is an important one on ActiveMQ 5.16.x series, bringing several important changes/fixes.

Reload4j replaces log4j

Apache ActiveMQ 5.16.3 is using log4j 1.x. If this log4j version is not impacted by log4shell vulnerability, it's affected by several security issue.

reload4j (https://reload4j.qos.ch/) is a fork of log4j 1.2.17 with the goal of fixing pressing security issues.

Apache ActiveMQ 5.16.4 now uses reload4j 1.2.19, bringing the following security fixes compared to log4j 1.2.17:

  • CVE-2021-4104 (JMSAppender)
  • CVE-2022-23302 (JMSSink)
  • CVE-2019-17571 (SocketServer)
  • CVE-2020-9493 and CVE-2022-23307 (Chainsaw)
  • 2022-23305 (JDBCAppender)
  • broken MDC in newer JDKs
  • XML entity injection attack
  • CVE-2020-9488 (SMTPAppender)

There's no impact for users: the conf/log4j.properties configuration file is the same as before, just the jar files changed.

If ActiveMQ 5.17.x will use log4j 2.x, ActiveMQ 5.16.x is now "clean" with log4j known vulnerabilities thanks to reload4j.

Upgrade to xerces 2.12.2

In order to fix CVE-2022-23437 (Infinite loop within Apache XercesJ xml parser), Apache ActiveMQ 5.16.4 upgraded to Apache Xerces 2.12.2.

Well-formed response

Up to Apache ActiveMQ 5.16.3, clients get an IOException when a sent message is too large. It prevents the clients to cleanly process the message and even know that the message is actually too large.

Apache ActiveMQ 5.16.4 improves this by using the maxFrameSize and then return a well-formed response.

Fix unexpected character in STOMP header

When using STOMP 1.2 protocol, it's possible to have escapes sequence in the header: https://stomp.github.io/stomp-specification-1.2.html#Value_Encoding.

Up to Apache ActiveMQ 5.16.3, when the escape sequence \r is used in SEND frame header values, it will be received as \\r in incoming MESSAGE frames, which is unexpected.

Apache ActiveMQ 5.16.4 fixes that with both \r in SEND and MESSAGE.

Better JDK16 support

Apache ActiveMQ 5.16.4 brings improvements on the JDK16 runtime support, both in the bin/activemq script, code (fixing warning about SSL), and dependencies (upgrading to ASM 9.2).

And much more!

Apache ActiveMQ 5.16.4 also includes bunch of other updates and fixes. You can take a look on the Release Notes for details.

Comments

Post a Comment

Popular posts from this blog

Exposing Apache Karaf configurations with Apache Arrow Flight

Image
This blog post shows how to use Apache Arrow and Arrow Flight in Apache Karaf runtime. The code base is available here: https://github.com/jbonofre/karaf-arrow . Apache Arrow ? Apache Arrow is composed by: The Arrow format (specification). Format implementations with different languages (C, Java, Go, Rust, ...). Extra subprojects like Flight, Flight SQL, ADBC, nanoarrow, ... Apache Arrow format is a in-memory columnar format, super efficient for scanning and iterating a large chunks of data. In traditional memory buffer, we focus on "row". Apache Arrow format "groups" data per column, which is much more efficient on modern CPUs/GPUs. The Apache Arrow format is basically a specification. We have several implementations for this specification: C C++ C# Go Java Python Ruby Rust As the purpose of this blog post is to show Apache Arrow in Apache Karaf, we will use Arrow Java. In addition, Apache Arrow also provides several...
Read more

Getting started with Apache Karaf Minho

Image
Apache Karaf Minho Apache Karaf Minho is a new runtime, completely created from scratch. The objectives are: super easy to use and run ligtning fast, including GraalVM support Kubernetes compliant to be easily used on the cloud helping to optimize cloud costs by supporting applications colocation providing turnkey services allowing you to create Minho applications in a minute Minho is composed by: minho-boot is the core of Minho. It contains the runtime launcher and the core services (service registry, lifecycle service, configuration service, ...). minho-* services provided additional functionnalities in the runtime. You can use these services to create your own services, it's also where you will find the services managing sepcific kind of applications, allowing colocation. minho-tooling optionally provide convenient tools to create your own runtime. It includes minho-maven-plugin for instance. In this blog post, we will take a quick tour on A...
Read more

Using Apache Karaf with Kubernetes

Image
In a previous blog post ( http://blog.nanthrax.net/?p=893 ), I introduced the “new” docker support in Karaf and the use of Karaf static distribution. This post follows the previous one by illustrating how to use Karaf docker image with a Kubernetes cluster. Preparing Karaf static docker image As in the previous blog post, we are preparing a Karaf static distribution based docker image. For this blog post, I’m using the example provided in Karaf: https://github.com/apache/karaf/tree/master/examples/karaf-docker-example/karaf-docker-example-static-dist . I’m just building the distribution as usual: karaf-docker-example-static-dist$ mvn clean install Preparing kubernetes testing cluster For this blog, I’m using a minikube installed locally. The installation is pretty simple: Download minikube from https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 Rename minikube-linux-amd64 as minikube Copy minikube in your path, for instance /us...
Read more