All Apache Log4j CVEs — Complete Vulnerability History
Log4j is Apache's Java logging library used by virtually every Java application. Log4Shell (CVE-2021-44228) was the most severe Java vulnerability ever discovered. The fix process required multiple patches as bypasses were discovered.
Java/Maven
Millions weekly downloads
5 CVEs total
3 CRITICAL
🔴 CISA KEV
CVE history — all 5 known vulnerabilities
🔴 2 CVEs on CISA KEV — actively exploited in real attacks
| CVE ID | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2019-17571 | 2019 | CRITICAL | Deserialization of untrusted data via SocketServer | Fixed in 2.0-beta9 |
| CVE-2021-44228 | 2021 | 🔴CRITICAL | Log4Shell — RCE via JNDI lookup in log message — CISA KEV | Fixed in 2.15.0 |
| CVE-2021-45046 | 2021 | 🔴CRITICAL | Log4Shell bypass — incomplete fix in 2.15.0 — CISA KEV | Fixed in 2.16.0 |
| CVE-2021-45105 | 2021 | HIGH | DoS via crafted string causing infinite recursion | Fixed in 2.17.0 |
| CVE-2021-44832 | 2021 | MEDIUM | RCE via JDBC Appender with attacker-controlled config | Fixed in 2.17.1 |
Current safe version
✓ Update to 2.23.1
The latest safe version addresses all 5 known CVEs listed above.
Before and after
Vulnerable:
2.14.1
Fixed:
2.23.1
Then run: mvn dependency:resolve
Paste your manifest — see your exact installed version against this full CVE list.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Why are there so many Log4j CVEs all at once in December 2021?
Log4Shell (CVE-2021-44228) was disclosed on December 9, 2021. The initial patch (2.15.0) was incomplete — researchers immediately found bypass techniques, leading to CVE-2021-45046. Each bypass required another patch: 2.16.0, then 2.17.0 for the DoS, then 2.17.1 for a JDBC appender edge case. The final fully-patched version addressing all known bypasses is 2.17.1+.
Is my app vulnerable to Log4Shell if I use Spring Boot?
Check your Spring Boot version. Spring Boot 2.5.8+ and 2.6.2+ upgraded Log4j to 2.17.1. Earlier versions bundle vulnerable Log4j. Run mvn dependency:tree | grep log4j to see your resolved version, or paste your pom.xml into PackageFix.
Is Log4Shell still being exploited in 2026?
Yes — CISA KEV confirms ongoing exploitation. Unpatched Log4j instances are continuously scanned by automated attack tools. The vulnerability is so well-known that any unpatched system is quickly found and attacked.
What if I can't upgrade Log4j immediately?
Temporary mitigation: set the JVM argument -Dlog4j2.formatMsgNoLookups=true. This disables the JNDI lookup that enables Log4Shell. This is a workaround only — upgrade to 2.17.1+ as soon as possible.