Apache Log4j overview 

Apache Log4j is a Java-based logging framework that evolved from basic logging to a highly configurable system supporting: 

• Plugins 

• Custom layouts and filters 

• Lookups 

• Audit-capable logging (no event loss during reconfiguration) 

The current supported version is based on Java 8 (from version 2.13.x onward). Older branches (Java 6 and 7) are no longer supported. 

While powerful, Log4j’s flexibility introduces security risks, especially when combined with Java’s dynamic class-loading and deserialization capabilities. 

Vulnerability details 

CVE-2021-44228 – Log4Shell (remote code execution) 

• Affected versions: Log4j < 2.15.0 

• Cause: JNDI lookups in logged data (e.g., LDAP) 

• Impact: Allows attackers to execute arbitrary code via crafted log entries 

• Mechanism: If an attacker controls logged input (e.g., User-Agent headers), they can trigger a JNDI lookup to a malicious LDAP server. 

• Fix: Version 2.15.0 

CVE-2021-45046 – Incomplete fix (remote code execution) 

• Affected versions: Log4j 2.15.0 

• Cause: Exploitable via Thread Context Map (MDC) and non-default Pattern Layouts 

• Impact: Initially rated as Denial of Service (DoS), later confirmed as Remote Code Execution (RCE) 

• Fix: Version 2.16.0 

CVE-2021-45105 – Self-referential lookups (denial of service) 

• Cause: Uncontrolled recursion in lookups 

• Impact: Stack overflow and process termination 

• Fix: Version 2.17.0 

NOTE: Fixes were also released for 2.3.x and 2.12.x branches, but these are not recommended due to a lack of ongoing support.

CVE-2021-44832 – JDBC appender (limited remote code execution) 

• Cause: Malicious JNDI URI in JDBC Appender configuration 

• Impact: Requires attacker to modify Log4j config; low real-world risk if best practices are followed 

• Fix: Version 2.17.1 

Again, fixes were released for 2.3.x and 2.12.x, but these branches are unsupported. 

CVE-2021-4104 – Log4j 1.x (limited remote code execution) 

• Affected versions: Log4j 1.2.x (End of Life) 

• Cause: Similar to Log4Shell but requires configuration modification 

• Impact: Lower risk due to limited attack vector 

• Recommendation: Upgrade to supported Log4j 2.x versions 

Using End of Life (EOL) versions like Log4j 1.x poses significant security risks. Always upgrade to supported versions. 

Security recommendations 

• Upgrade immediately to the latest supported version of Log4j (≥ 2.17.1). 

• Avoid using EOL versions (e.g., Log4j 1.x, 2.3.x, 2.12.x). 

• Review logging configurations for unsafe lookups or appenders. 

• Test updates in a staging environment before deploying to production. 

• Restrict access to configuration files to prevent unauthorized changes. 

References