Update on CVE-2021-44228
CVE-2021-44228 was recently announced and it has caused quite a bit of traffic on the mailing lists and in Jira from users curious about its impact on both ActiveMQ “Classic” and Artemis. In short, CVE-2021-44228 has no impact on any ActiveMQ broker because no ActiveMQ broker uses any version of Log4j2. To reiterate, no action is required to mitigate CVE-2021-44228.
ActiveMQ “Classic” does use Log4j for logging, but the latest versions (i.e. 5.15.15 and 5.16.3) use Log4j 1.2.17 which is not impacted by CVE-2021-44228. This version of Log4j has been used since 5.7.0. The upcoming ActiveMQ 5.17.0 will use Log4j2, but the pull request will be updated to use a later version of Log4j 2.x before merging to mitigate this CVE.
ActiveMQ Artemis does not use Log4j for logging. However, Log4j 1.2.17 is included in the Hawtio-based web console application archive (i.e.
web/console.war/WEB-INF/lib). Although this version of Log4j is not impacted by CVE-2021-44228 future versions of Artemis will be updated so that the Log4j jar is no longer included in the web console application archive. See ARTEMIS-3612 for more information on that task.