Which versions of Log4j are vulnerable
What happened to log4j recently
| Name | Vulnerability type | Affected log4j versions |
|---|---|---|
| CVE-2021-45046 | Denial of Service (DoS) and RCE | 2.0 through 2.15.0 |
| CVE-2021-4104 | RCE | 1.2* |
| CVE-2021-45105 | Denial of Service (DoS) | 2.0-beta9 to 2.16.0 |
| CVE-2021-44832 | RCE | 2.0 to 2.17.0 |
Is Log4j 2.17 vulnerable
3 or 2.17. 0: from these versions onwards, only the JAVA protocol is supported in JNDI connections. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
Does Log4j 1.2 17 have vulnerability
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
Is Log4j 2.16 still vulnerable
December 20, 2021
Log4j 2.17 has been released to address a Denial of Service (DoS) vulnerability found in v2. 16 and earlier. Log4j 2.16 and earlier does not always protect from infinite recursion in lookup evaluation, which can lead to DoS attacks. This is considered a High (7.5) vulnerability on the CVSS scale.
Is Log4j 1 version vulnerable
x. JMSSink in Log4j 1. x is vulnerable to deserialization of untrusted data. This flaw allows a remote attacker to execute code on the server if the deployed application is configured to use JMSSink and to the attacker's JNDI LDAP endpoint.
Is Log4j Core 2.16 0 jar vulnerable
Vulnerability Details
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216189 for the current score. DESCRIPTION: Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups.
Is Log4j 2.7 vulnerable
log4j:log4j-core is a logging library for Java. Affected versions of this package are vulnerable to Remote Code Execution (RCE). Apache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
Is Log4j Core 2.17 0 jar vulnerable
The Severity was also changed from moderate to critical. Log4j version 2.17. 0 was released on December 18th in response to another Log4j vulnerability. Labeled CVE-2021-45105, the newest security hole is a Denial-of-Service vulnerability with a CVSS score of 7.5 and is rated as High by Apache.
Does Log4j 1.2 14 have vulnerability
Affected versions of this package are vulnerable to Deserialization of Untrusted Data. JMSSink in all versions of Log4j 1. x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to.
Is Log4j 1.2 end of life
Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. CSM version 6.3.
Is Log4j 2.3 vulnerable
Affected versions of this package are vulnerable to Remote Code Execution (RCE). Apache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
Is Log4j Version 1.2 16 vulnerable
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
Is 1.18 1 safe from Log4j
Is My Server Safe All servers running 1.18. 1 and above are completely safe.
Is Log4j 2.12 1 vulnerable
log4j:log4j-core is a logging library for Java. Affected versions of this package are vulnerable to Remote Code Execution (RCE). Apache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
Is Log4j 1.2 6 vulnerable
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2. 17.
Is Log4j 2.17 released
2.17. 0, released Friday, marks the third patch for Log4j since the now-infamous Log4Shell vulnerability became publicly known a week and a half ago. Log4j 2.15. 0 helped mitigate the initial remote code execution (RCE) vulnerability, tracked as CVE-2021-44228, while 2.16.
Is Log4j version 1 vulnerable
JMSSink in Log4j 1. x is vulnerable to deserialization of untrusted data. This flaw allows a remote attacker to execute code on the server if the deployed application is configured to use JMSSink and to the attacker's JNDI LDAP endpoint. A flaw was found in the log4j 1.
Is Apache 2.4 41 vulnerable to Log4j
Apache's HTTPd (web server) isn't vulnerable – it's not written in Java, and thus it can't use Log4j. However, Log4j is incredibly popular with Java applications. Every grown-up application needs formalized logging, and Log4j provides it very well.
Is Log4j 2.9 1 vulnerable
log4j:log4j-core is a logging library for Java. Affected versions of this package are vulnerable to Remote Code Execution (RCE). Apache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
Is Log4j Version 1.2 14 vulnerable
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
When was Log4j 2.17 1 released
1 (2021-12-27) This release addresses CVE-2021-44832 and contains other minor fixes.
When was Log4j 2.16 0 released
2021-12-13
0 (2021-12-13)
Is Apache 2.4 6 vulnerable to Log4j
Apache Httpd Server or Web Server is not affected by log4j vulnerability. Here is a list of Apache Projects that were affected by the log4j vulnerability. This entry is where we will collect links to statements provided by ASF projects on if they are affected by CVE-2021-44228, the security issue in Log4j2.
When was Log4j 2.17 released
0 (2021-12-17) The major changes contained in this release include: Address CVE-2021-45105 by disabling recursive evaluation of Lookups during log event processing.
When was Log4j 2.16 released
0 (2021-12-13) This release contains one change which is noted below. Due to a break in compatibility in the SLF4J binding, Log4j now ships with two versions of the SLF4J to Log4j adapters.
