PackageFix / Fix Guides / Java/Maven / Apache Log4j

All Apache Log4j CVEs โ€” Complete Vulnerability History

Last updated: April 1, 2026 · Data: OSV Database

Log4j is Apache's Java logging library used by virtually every Java application. Log4Shell (CVE-2021-44228) was the most severe Java vulnerability ever discovered. The fix process required multiple patches as bypasses were discovered.

Java/Maven Millions weekly downloads 5 CVEs total 3 CRITICAL ๐Ÿ”ด CISA KEV

CVE history โ€” all 5 known vulnerabilities

๐Ÿ”ด 2 CVEs on CISA KEV โ€” actively exploited in real attacks

CVE ID Year Severity Description Fix
CVE-2019-17571 2019 CRITICAL Deserialization of untrusted data via SocketServer Fixed in 2.0-beta9
CVE-2021-44228 2021 ๐Ÿ”ดCRITICAL Log4Shell โ€” RCE via JNDI lookup in log message โ€” CISA KEV Fixed in 2.15.0
CVE-2021-45046 2021 ๐Ÿ”ดCRITICAL Log4Shell bypass โ€” incomplete fix in 2.15.0 โ€” CISA KEV Fixed in 2.16.0
CVE-2021-45105 2021 HIGH DoS via crafted string causing infinite recursion Fixed in 2.17.0
CVE-2021-44832 2021 MEDIUM RCE via JDBC Appender with attacker-controlled config Fixed in 2.17.1

Current safe version

โœ“ Update to 2.23.1

The latest safe version addresses all 5 known CVEs listed above.

Before and after

Vulnerable:

2.14.1

Fixed:

2.23.1

Then run: mvn dependency:resolve

log4j 2.23.1 Java version requirements

log4j 2.23.1 requires Java 8 or later. If you are on Java 7, the last compatible safe version is log4j 2.12.4 (Java 7 branch). log4j 1.x is end of life โ€” do noegardless of Java version.

Java Version Safe log4j Version Notes
Java 8+2.23.1Latest โ€” recommended
Java 72.12.4Java 7 branch โ€” patches Log4ShellJava 62.3.2Java 6 branch โ€” patches Log4Shell

Paste your manifest โ€” see your exact installed version against this full CVE list.

Scan with PackageFix โ†’

Free ยท No signup ยท No CLI ยท Runs in your browser

Common questions

Why are there so many Log4j CVEs all at once in December 2021?
Log4Shell (CVE-2021-44228) was disclosed on December 9, 2021. The initial patch (2.15.0) was incomplete โ€” researchers immediately found bypass techniques, leading to CVE-2021-45046. Each bypass required another patch: 2.16.0, then 2.17.0 for the DoS, then 2.17.1 for a JDBC appender edge case. The final fully-patched version addressing all known bypasses is 2.17.1+.
Is my app vulnerable to Log4Shell if I use Spring Boot?
Check your Spring Boot version. Spring Boot 2.5.8+ and 2.6.2+ upgraded Log4j to 2.17.1. Earlier versions bundle vulnerable Log4j. Run mvn dependency:tree | grep log4j to see your resolved version, or paste your pom.xml into PackageFix.
Is Log4Shell still being exploited in 2026?
Yes โ€” CISA KEV confirms ongoing exploitation. Unpatched Log4j instances are continuously scanned by automated attack tools. The vulnerability is so well-known that any unpatched system is quickly found and attacked.
What if I can't upgrade Log4j immediately?
Temporary mitigation: set the JVM argument -Dlog4j2.formatMsgNoLookups=true. This disables the JNDI lookup that enables Log4Shell. This is a workaround only โ€” upgrade to 2.17.1+ as soon as possible.

Related

PackageFix vs Sonatype

Java scanner comparison

CVE-2021-44228 โ€” Log4Shell

CVSS 10.0 โ€” full detail

Fix Spring Framework

Spring4Shell CVE

Fix Commons Text

Text4Shell CVE

Java Security Overview

All Java CVE guides