Log4j 2 Security Vulnerabilities Update Guide

As Apache Log4j 2 security vulnerabilities continue to surface, and are quickly addressed by the Log4j Security Team, keeping track of specific CVEs, severity, and affected versions can be a bit of a task on the fly. As such, herein is a quick table version of update guidance. The current supported version of Log4j2 for Java 8 is 2.17.1 as of this writing.

Note: Log4j 1 is end of life and no longer supported. Java 7 and 6 are end of life and no longer supported. Please upgrade to current, supported versions accordingly.

Log4j 2 Security Vulnerabilities Update Guide			Reference: https://logging.apache.org/log4j/2.x/security.html
Severity	CVE fixed	Description	CVSS	Java 8	Java 7	Java 6	Versions Affected
Moderate	CVE-2021-44832	Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.	6.6	2.17.1	2.12.4	2.3.2	2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4
Moderate	CVE-2021-45105	Apache Log4j2 does not always protect from infinite recursion in lookup evaluation	5.9	2.17.0	2.12.3	2.3.1	All versions from 2.0-beta9 to 2.16.0, excluding 2.12.3
Critical	CVE-2021-45046	Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations	9	2.16.0	2.12.2		All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2
Critical	CVE-2021-44228	Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.	10	2.15.0			All versions from 2.0-beta9 to 2.14.1

Russ McRee | @holisticinfosec

Russ McRee

204 Posts
ISC Handler

Dec 29th 2021

Thread locked Subscribe

Dec 29th 2021
6 months ago