2.17.0

Release date

2021-12-17

The major changes contained in this release include:

  • Address CVE-2021-45105 by disabling recursive evaluation of Lookups during log event processing. Recursive evaluation is still allowed while generating the configuration.

  • The JndiLookup, JndiContextSelector, and JMSAppender now require individual system properties to be enabled.

  • Remove LDAP and LDAPS as supported protocols from JNDI.

The single log4j2.enableJndi property introduced in Log4j 2.16.0 has been replaced with three individual properties; log4j2.enableJndiContextSelector, log4j2.enableJndiJms, and log4j2.enableJndiLookup.

The Log4j 2.17.0 API, as well as many core components, maintains binary compatibility with previous releases.

Apache Log4j 2.17.0 requires a minimum of Java 8 to build and run. Log4j 2.12.2 is the last release to support Java 7. Java 7 is no longer supported by the Log4j team.

For complete information on Apache Log4j 2, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Log4j 2 website.

Fixed

  • Fix string substitution recursion. (LOG4J2-3230)

  • Log4j 1.2 bridge API hard codes the Syslog protocol to TCP. (LOG4J2-3237)

  • Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it causes problems with the Maven enforcer plugin. (LOG4J2-3241)

  • Limit JNDI to the java protocol only. JNDI will remain disabled by default. Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'. (LOG4J2-3242)

  • PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters. (LOG4J2-3247)

  • Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514. (LOG4J2-3249)