Jboss AMQ has a log4j jar available in the below path when you search
$AMQ7_BROKER_HOME/bin/$BROKER_INSTANCE/tmp/webapps/jetty-localhost-8161-hawtio_war-_console-any-1234567890123456789/webapp/WEB-INF/lib/log4j-1.2.17.jar
AMQ 7.x brokers have not been affected by the CVE-2021-44228
1 vulnerability. AMQ 7 core broker components do not use Log4J. However, the integrated Hawtio console uses Log4j version 1.x (1.2.17) which has not been affected by the said vulnerability:
Name: org.apache.log4j
Implementation-Vendor: "Apache Software Foundation"
Implementation-Title: log4j
Implementation-Version: 1.2.17
Build-Jdk: 1.6.0_23
Bundle-Version: 1.2.17
Bundle-Description: Apache Log4j 1.2
Bundle-DocURL: http://logging.apache.org/log4j/1.2
The Log4J version 1.x releases have been affected by the CVE-2021-4104
2 vulnerability. However, this would not have any impact should you refrain from using JMSAppender in Log4J 1.x releases.
This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:
- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,
- A log statement in the endpoint that logs the attacker controlled data.
Mitigation
For Log4j versions >=2.10
set the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true
For Log4j versions >=2.7 and <=2.14.1
all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m
For Log4j versions >=2.0-beta9 and <=2.10.0
remove the JndiLookup class from the classpath. For example:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class