Built by Maven

2.15.0 (2021-12-06)

This release contains a number of bug fixes and minor enhancements which are listed below.

The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.15.0.

Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution. Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects by default served on the local host.

One vector that allowed exposure to this vulnerability was Log4j’s allowance of Lookups to appear in log messages. As of Log4j 2.15.0 this feature is now disabled by default. While an option has been provided to enable Lookups in this fashion, users are strongly discouraged from enabling it.

Users who cannot upgrade to 2.15.0 can mitigate the exposure by:

  1. Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath to prevent lookups in log event messages.

  2. Users since Log4j 2.7 may specify %{nolookups} in the PatternLayout configuration to prevent lookups in log event messages.

  3. Remove the JndiLookup and JndiManager classes from the log4j-core JAR. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.

Due to a break in compatibility in the SLF4J binding, Log4j now ships with two versions of the SLF4J to Log4j adapters. log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl should be used with SLF4J 1.8.x and later. SLF4J-2.0.0 alpha releases are not fully supported. See LOG4J2-2975 and SLF4J-511.

Some of the new features in Log4j 2.15.0 include:

  • Support for Arbiters, which are conditionals that can enable sections of the logging configuration for inclusion or exclusion. In particular, SpringProfile, SystemProperty, Script, and Class Arbiters have been provided that use the Spring profile, System property, the result of a script, or the presence of a class respectively to determine whether a section of configuration should be included.

  • Support for Jakarta EE 9. This is functionally equivalent to Log4j’s log4j-web module but uses the Jakarta project.

  • Various performance improvements.

Key changes to note:

  • Prior to this release Log4j would automatically resolve Lookups contained in the message or its parameters in the Pattern Layout. This behavior is no longer the default and must be enabled by specifying %msg{lookup}.

  • The JNDI Lookup has been restricted to only support the java, ldap, and ldaps protocols by default. LDAP also no longer supports classes that implement the Referenceable interface and restricts the Serializable classes to the Java primitive classes by default and requires an allow list to be specified to access remote LDAP servers.

The Log4j 2.15.0 API, as well as many core components, maintains binary compatibility with previous releases.

Apache Log4j 2.15.0 requires a minimum of Java 8 to build and run. Log4j 2.12.1 is the last release to support Java 7. Java 7 is no longer supported by the Log4j team.

For complete information on Apache Log4j 2, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Log4j 2 website.

Changes

Added

  • Add support for US-style date patterns and micro/nano seconds to FixedDateTime. (for LOG4J2-2885 by Volkan Yazıcı, Markus Spann)

  • Add BasicAsyncLoggerContextSelector equivalent to AsyncLoggerContextSelector for applications with a single LoggerContext. This selector avoids classloader lookup overhead incurred by the existing AsyncLoggerContextSelector. (for LOG4J2-2940 by Carter Kozak)

  • Context selectors are aware of their dependence upon the callers ClassLoader, allowing basic context selectors to avoid the unnecessary overhead of walking the stack to determine the caller’s ClassLoader. (for LOG4J2-2940 by Carter Kozak)

  • Add support for Jakarta EE 9 (Tomcat 10 / Jetty 11) (for LOG4J2-2978 by Ralph Goers, Michael Seele)

  • Add plugin support to JsonTemplateLayout. (for LOG4J2-3004 by Volkan Yazıcı)

  • Allow a PatternSelector to be specified on GelfLayout. (for LOG4J2-3041 by Ralph Goers)

  • Add RepeatPatternConverter. (for LOG4J2-3044 by Ralph Goers)

  • Add improved MapMessage support to GelfLayout. (for LOG4J2-3048 by Ralph Goers)

  • Allow MapMessage and ThreadContext attributes to be prefixed. (for LOG4J2-3049 by Ralph Goers)

  • Allow AdditionalFields to be ignored if their value is null or a zero-length String. (for LOG4J2-3050 by Ralph Goers)

  • Add CaseConverterResolver to JsonTemplateLayout. (for LOG4J2-3051 by Volkan Yazıcı)

  • Refactor MD5 usage for sharing sensitive information. (for LOG4J2-3056 by Volkan Yazıcı, Marcono1234)

  • Add Arbiters and SpringProfile plugin. (for LOG4J2-3064 by Ralph Goers)

  • Add CounterResolver to JsonTemplateLayout. (for LOG4J2-3067 by Volkan Yazıcı)

  • Add replacement parameter to ReadOnlyStringMapResolver. (for LOG4J2-3074 by Volkan Yazıcı)

  • Add JsonTemplateLayout for Google Cloud Platform structured logging layout. (for LOG4J2-3116 by Raman Gupta)

  • Add missing slf4j-api singleton accessors to log4j-slf4j-impl (1.7) StaticMarkerBinder and StaticMDCBinder. This doesn’t impact behavior or correctness, but avoids throwing and catching NoSuchMethodErrors when slf4j is initialized and avoids linkage linting warnings. (for LOG4J2-3133 by Carter Kozak)

  • Avoid ThreadLocal overhead in RandomAccessFileAppender, RollingRandomAccessFileManager, and MemoryMappedFileManager due to the unused setEndOfBatch and isEndOfBatch methods. The methods on LogEvent are preferred. (for LOG4J2-3141 by Carter Kozak)

  • Prefer string.getBytes(Charset) over string.getBytes(String) based on performance improvements in modern Java releases. (for LOG4J2-3144 by Carter Kozak)

  • Make CRLF/HTML encoding run in O(n) worst-case time, rather than O(n^2). (for LOG4J2-3170 by Volkan Yazıcı, Gareth Smith)

  • Improve PatternLayout performance by reducing unnecessary indirection and branching. (for LOG4J2-3171 by Carter Kozak)

  • Improve NameAbbreviator worst-case performance. (for LOG4J2-3189 by Carter Kozak)

  • Allow fractional attributes for size attribute of SizeBasedTriggeringPolicy. (for LOG4J2-3194 by Ralph Goers, markuss)

  • Pattern layout no longer enables lookups within message text by default for cleaner API boundaries and reduced formatting overhead. The old 'log4j2.formatMsgNoLookups' which enabled this behavior has been removed as well as the 'nolookups' message pattern converter option. The old behavior can be enabled on a per-pattern basis using '%m{lookups}'. (for LOG4J2-3198 by Carter Kozak)

Changed

  • Handle interrupted exceptions that occur during rollover. (for LOG4J2-1798 by Ralph Goers, Viacheslav Zhivaev)

  • Provide support for overriding the Tomcat Log class in Tomcat 8.5+. (for LOG4J2-2025 by Ralph Goers)

  • Minor documentation corrections regarding log levels. (for LOG4J2-2540 by Ralph Goers)

  • Minor documentation corrections in the configuration section. (for LOG4J2-2541 by Ralph Goers, Gerold Broser)

  • Correct documentation for SyslogAppender when using TLS. (for LOG4J2-2553 by Ralph Goers)

  • Log4j 1.x properties were not being substituted. (for LOG4J2-2951 by Ralph Goers)

  • Fix Log Event Level vs Logger Config Level table. (for LOG4J2-3166 by Ralph Goers)

  • Update Spring framework to 5.3.13, Spring Boot to 2.5.7, and Spring Cloud to 2020.0.4. (for by Ralph Goers)

  • Updated dependencies. - com.fasterxml.jackson.core:jackson-annotations …​…​…​…​…​.. 2.12.2 → 2.12.4 - com.fasterxml.jackson.core:jackson-core …​…​…​…​…​…​…​…​ 2.12.2 → 2.12.4 - com.fasterxml.jackson.core:jackson-databind …​…​…​…​…​…​.. 2.12.2 → 2.12.4 - com.fasterxml.jackson.dataformat:jackson-dataformat-xml …​…​.. 2.12.2 → 2.12.4 - com.fasterxml.jackson.dataformat:jackson-dataformat-yaml …​…​. 2.12.2 → 2.12.4 - com.fasterxml.jackson.module:jackson-module-jaxb-annotations …​ 2.12.2 → 2.12.4 - com.fasterxml.woodstox:woodstox-core …​…​…​…​…​…​…​…​…​ 6.2.4 → 6.2.6 - commons-io:commons-io …​…​…​…​…​…​…​…​…​…​…​…​…​…​ 2.8.0 → 2.11.0 - net.javacrumbs.json-unit:json-unit …​…​…​…​…​…​…​…​…​.. 2.24.0 → 2.25.0 - net.javacrumbs.json-unit:json-unit …​…​…​…​…​…​…​…​…​.. 2.25.0 → 2.27.0 - org.apache.activemq:activemq-broker …​…​…​…​…​…​…​…​…​. 5.16.1 → 5.16.2 - org.apache.activemq:activemq-broker …​…​…​…​…​…​…​…​…​. 5.16.2 → 5.16.3 - org.apache.commons:commons-compress …​…​…​…​…​…​…​…​…​. 1.20 → 1.21 - org.apache.commons:commons-csv …​…​…​…​…​…​…​…​…​…​…​ 1.8 → 1.9.0 - org.apache.commons:commons-dbcp2 …​…​…​…​…​…​…​…​…​…​. 2.8.0 → 2.9.0 - org.apache.commons:commons-pool2 …​…​…​…​…​…​…​…​…​…​. 2.9.0 → 2.11.1 - org.apache.maven.plugins:maven-failsafe-plugin …​…​…​…​…​.. 2.22.2 → 3.0.0-M5 - org.apache.maven.plugins:maven-surefire-plugin …​…​…​…​…​.. 2.22.2 → 3.0.0-M5 - org.apache.rat:apache-rat-plugin …​…​…​…​…​…​…​…​…​…​. 0.12 → 0.13 - org.assertj:assertj-core …​…​…​…​…​…​…​…​…​…​…​…​…​ 3.19.0 → 3.20.2 - org.codehaus.groovy:groovy-dateutil …​…​…​…​…​…​…​…​…​. 3.0.7 → 3.0.8 - org.codehaus.groovy:groovy-jsr223 …​…​…​…​…​…​…​…​…​…​ 3.0.7 → 3.0.8 - org.codehaus.plexus:plexus-utils …​…​…​…​…​…​…​…​…​…​. 3.3.0 → 3.4.0 - org.eclipse.persistence:javax.persistence …​…​…​…​…​…​…​. 2.1.1 → 2.2.1 - org.eclipse.persistence:org.eclipse.persistence.jpa …​…​…​…​ 2.6.5 → 2.6.9 - org.eclipse.persistence:org.eclipse.persistence.jpa …​…​…​…​ 2.7.8 → 2.7.9 - org.fusesource.jansi …​…​…​…​…​…​…​…​…​…​…​…​…​…​. 2.3.2 → 2.3.4 - org.fusesource.jansi:jansi …​…​…​…​…​…​…​…​…​…​…​…​. 2.3.1 → 2.3.2 - org.hsqldb:hsqldb …​…​…​…​…​…​…​…​…​…​…​…​…​…​…​. 2.5.1 → 2.5.2 - org.junit.jupiter:junit-jupiter-engine …​…​…​…​…​…​…​…​. 5.7.1 → 5.7.2 - org.junit.jupiter:junit-jupiter-migrationsupport …​…​…​…​…​ 5.7.1 → 5.7.2 - org.junit.jupiter:junit-jupiter-params …​…​…​…​…​…​…​…​. 5.7.1 → 5.7.2 - org.junit.vintage:junit-vintage-engine …​…​…​…​…​…​…​…​. 5.7.1 → 5.7.2 - org.liquibase:liquibase-core …​…​…​…​…​…​…​…​…​…​…​.. 3.5.3 → 3.5.5 - org.mockito:mockito-core …​…​…​…​…​…​…​…​…​…​…​…​…​ 3.8.0 → 3.11.2 - org.mockito:mockito-junit-jupiter …​…​…​…​…​…​…​…​…​…​ 3.8.0 → 3.11.2 - org.springframework:spring-aop …​…​…​…​…​…​…​…​…​…​…​ 5.3.3 → 5.3.9 - org.springframework:spring-beans …​…​…​…​…​…​…​…​…​…​. 5.3.3 → 5.3.9 - org.springframework:spring-context …​…​…​…​…​…​…​…​…​.. 5.3.3 → 5.3.9 - org.springframework:spring-context-support …​…​…​…​…​…​…​ 5.3.3 → 5.3.9 - org.springframework:spring-core …​…​…​…​…​…​…​…​…​…​.. 5.3.3 → 5.3.9 - org.springframework:spring-expression …​…​…​…​…​…​…​…​.. 5.3.3 → 5.3.9 - org.springframework:spring-oxm …​…​…​…​…​…​…​…​…​…​…​ 5.3.3 → 5.3.9 - org.springframework:spring-test …​…​…​…​…​…​…​…​…​…​.. 5.3.3 → 5.3.9 - org.springframework:spring-web …​…​…​…​…​…​…​…​…​…​…​ 5.3.3 → 5.3.9 - org.springframework:spring-webmvc …​…​…​…​…​…​…​…​…​…​ 5.3.3 → 5.3.9 - org.tukaani:xz …​…​…​…​…​…​…​…​…​…​…​…​…​…​…​…​. 1.8 → 1.9 (for by Gary Gregory)

Fixed

  • LoggerContext skips resolving localhost when hostName is configured. (for LOG4J2-2808 by Carter Kozak, Asapha Halifa)

  • Handle Disruptor event translation exceptions. (for LOG4J2-2816 by Volkan Yazıcı, Jacob Shields)

  • SocketAppender should propagate failures when reconnection fails. (for LOG4J2-2829 by Volkan Yazıcı)

  • Slf4j implementations walk the stack at most once rather than twice to determine the caller’s class loader. (for LOG4J2-2940 by Carter Kozak)

  • Fixed a deadlock between the AsyncLoggerContextSelector and java.util.logging.LogManager by updating Disruptor to 3.4.4. (for LOG4J2-2965 by Carter Kozak)

  • BasicContextSelector hasContext and shutdown take the default context into account (for LOG4J2-3054 by Carter Kozak)

  • Fix thread-safety issues in DefaultErrorHandler. (for LOG4J2-3060 by Volkan Yazıcı, Nikita Mikhailov)

  • Ensure EncodingPatternConverter#handlesThrowable is implemented. (for LOG4J2-3070 by Volkan Yazıcı, Romain Manni-Bucau)

  • Fix formatting of nanoseconds in JsonTemplateLayout. (for LOG4J2-3075 by Volkan Yazıcı)

  • Use SimpleMessage in Log4j 1 Category whenever possible. (for LOG4J2-3080 by Volkan Yazıcı)

  • log4j-slf4j-impl and log4j-slf4j18-impl correctly detect the calling class using both LoggerFactory.getLogger methods as well as LoggerFactory.getILoggerFactory().getLogger. (for LOG4J2-3083 by Carter Kozak)

  • Fix race in JsonTemplateLayout where a timestamp could end up unquoted. (for LOG4J2-3087 by Volkan Yazıcı, Anton Klarén)

  • Fix sporadic JsonTemplateLayoutNullEventDelimiterTest failures on Windows. (for LOG4J2-3089 by Volkan Yazıcı, Tim Perry)

  • Fix JsonWriter memory leaks due to retained excessive buffer growth. (for LOG4J2-3092 by Volkan Yazıcı, xmh51)

  • Category.setLevel should accept null value. (for LOG4J2-3095 by Gary Gregory, Kenny MacLeod)

  • Fix a regression in 2.14.1 which allowed the AsyncAppender background thread to keep the JVM alive because the daemon flag was not set. (for LOG4J2-3102 by Carter Kozak)

  • Fix race condition which can result in ConcurrentModificationException on context.stop. (for LOG4J2-3103 by Carter Kozak, Mike Glazer)

  • SmtpManager.createManagerName ignores port. (for LOG4J2-3107 by Volkan Yazıcı, Markus Spann)

  • Fix the number of {}-placeholders in the string literal argument does not match the number of other arguments to the logging call. (for LOG4J2-3110 by Ralph Goers, Arturo Bernal)

  • Enable immediate flush on RollingFileAppender when buffered i/o is not enabled. (for LOG4J2-3114 by Ralph Goers, Barnabas Bodnar)

  • log4j2 config modified at run-time may trigger incomplete MBean re-initialization due to InstanceAlreadyExistsException. (for LOG4J2-3121 by Gary Gregory, Markus Spann)

  • log4j-1.2-api implements LogEventAdapter.getTimestamp() based on the original event timestamp instead of returning zero. (for LOG4J2-3142 by Carter Kozak, John Meikle)

  • RandomAccessFile appender uses the correct default buffer size of 256 kB rather than the default appender buffer size of 8 kB. (for LOG4J2-3150 by Carter Kozak)

  • DatePatternConverter performance is not impacted by microsecond-precision clocks when such precision isn’t required. (for LOG4J2-3153 by Carter Kozak)

  • Fixed an unlikely race condition in Log4jMarker.getParents() volatile access. (for LOG4J2-3159 by Carter Kozak)

  • Fix documentation on how to toggle log4j2.debug system property. (for LOG4J2-3160 by Volkan Yazıcı, Lars Bohl)

  • Fix bug when file names contain regex characters. (for LOG4J2-3168 by Ralph Goers, Benjamin Wöster)

  • Buffer immutable log events in the SmtpManager. (for LOG4J2-3172 by Volkan Yazıcı, Barry Fleming)

  • Wrong subject on mail when it depends on the LogEvent (for LOG4J2-3174 by Volkan Yazıcı, romainmoreau)

  • Avoid KafkaManager override when topics differ. (for LOG4J2-3175 by Volkan Yazıcı, wuqian0808)

  • Avoid using MutableInstant of the event as a cache key in JsonTemplateLayout. (for LOG4J2-3183 by Volkan Yazıcı)

  • Fix thread-safety issues in DefaultErrorHandler. (for LOG4J2-3185 by Volkan Yazıcı, mzbonnt)

  • Limit the protocols JNDI can use by default. Limit the servers and classes that can be accessed via LDAP. (for LOG4J2-3201 by Ralph Goers)