As Apache Log4j 2 security vulnerabilities continue to surface, and are quickly addressed by the Log4j Security Team, keeping track of specific CVEs, severity, and affected versions can be a bit of a task on the fly. As such, herein is a quick table version of update guidance. The current supported version of Log4j2 for Java 8 is 2.17.1 as of this writing.
Note: Log4j 1 is end of life and no longer supported. Java 7 and 6 are end of life and no longer supported. Please upgrade to current, supported versions accordingly.
|Log4j 2 Security Vulnerabilities Update Guide||Reference: https://logging.apache.org/log4j/2.x/security.html|
|Severity||CVE fixed||Description||CVSS||Java 8||Java 7||Java 6||Versions Affected|
|Moderate||CVE-2021-44832||Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.||6.6||2.17.1||2.12.4||2.3.2||2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4|
|Moderate||CVE-2021-45105||Apache Log4j2 does not always protect from infinite recursion in lookup evaluation||5.9||2.17.0||2.12.3||2.3.1||All versions from 2.0-beta9 to 2.16.0, excluding 2.12.3|
|Critical||CVE-2021-45046||Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations||9||2.16.0||2.12.2||All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2|
|Critical||CVE-2021-44228||Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.||10||2.15.0||All versions from 2.0-beta9 to 2.14.1|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.