Jboss AMQ has a log4j jar available in the below path when you search
$AMQ7_BROKER_HOME/bin/$BROKER_INSTANCE/tmp/webapps/jetty-localhost-8161-hawtio_war-_console-any-1234567890123456789/webapp/WEB-INF/lib/log4j-1.2.17.jarAMQ 7.x brokers have not been affected by the CVE-2021-442281 vulnerability. AMQ 7 core broker components do not use Log4J. However, the integrated Hawtio console uses Log4j version 1.x (1.2.17) which has not been affected by the said vulnerability:
Name: org.apache.log4j
Implementation-Vendor: "Apache Software Foundation"
Implementation-Title: log4j
Implementation-Version: 1.2.17
Build-Jdk: 1.6.0_23
Bundle-Version: 1.2.17
Bundle-Description: Apache Log4j 1.2
Bundle-DocURL: http://logging.apache.org/log4j/1.2The Log4J version 1.x releases have been affected by the CVE-2021-41042 vulnerability. However, this would not have any impact should you refrain from using JMSAppender in Log4J 1.x releases.
This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:
- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,
- A log statement in the endpoint that logs the attacker controlled data.
Mitigation
For Log4j versions >=2.10
set the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true
For Log4j versions >=2.7 and <=2.14.1
all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m
For Log4j versions >=2.0-beta9 and <=2.10.0
remove the JndiLookup class from the classpath. For example:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class