Apache ActiveMQ 5.16.4, reload4j and more
Apache ActiveMQ 5.16.4 has just been released. This release is an important one on ActiveMQ 5.16.x series, bringing several important changes/fixes.
Reload4j replaces log4jApache ActiveMQ 5.16.3 is using log4j 1.x. If this log4j version is not impacted by log4shell vulnerability, it's affected by several security issue. reload4j (https://reload4j.qos.ch/) is a fork of log4j 1.2.17 with the goal of fixing pressing security issues. Apache ActiveMQ 5.16.4 now uses reload4j 1.2.19, bringing the following security fixes compared to log4j 1.2.17:
- CVE-2021-4104 (JMSAppender)
- CVE-2022-23302 (JMSSink)
- CVE-2019-17571 (SocketServer)
- CVE-2020-9493 and CVE-2022-23307 (Chainsaw)
- 2022-23305 (JDBCAppender)
- broken MDC in newer JDKs
- XML entity injection attack
- CVE-2020-9488 (SMTPAppender)
conf/log4j.propertiesconfiguration file is the same as before, just the jar files changed. If ActiveMQ 5.17.x will use log4j 2.x, ActiveMQ 5.16.x is now "clean" with log4j known vulnerabilities thanks to reload4j.
Upgrade to xerces 2.12.2In order to fix CVE-2022-23437 (Infinite loop within Apache XercesJ xml parser), Apache ActiveMQ 5.16.4 upgraded to Apache Xerces 2.12.2.
Well-formed responseUp to Apache ActiveMQ 5.16.3, clients get an IOException when a sent message is too large. It prevents the clients to cleanly process the message and even know that the message is actually too large. Apache ActiveMQ 5.16.4 improves this by using the
maxFrameSizeand then return a well-formed response.
Fix unexpected character in STOMP headerWhen using STOMP 1.2 protocol, it's possible to have escapes sequence in the header: https://stomp.github.io/stomp-specification-1.2.html#Value_Encoding. Up to Apache ActiveMQ 5.16.3, when the escape sequence
\ris used in
SENDframe header values, it will be received as
MESSAGEframes, which is unexpected. Apache ActiveMQ 5.16.4 fixes that with both
Better JDK16 supportApache ActiveMQ 5.16.4 brings improvements on the JDK16 runtime support, both in the
bin/activemqscript, code (fixing warning about SSL), and dependencies (upgrading to ASM 9.2).