2.16.0 (2021-12-13)

This release contains one change which is noted below.

Due to a break in compatibility in the SLF4J binding, Log4j now ships with two versions of the SLF4J to Log4j adapters. log4j-slf4j-impl should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl should be used with SLF4J 1.8.x and later. SLF4J-2.0.0 alpha releases are not fully supported. See LOG4J2-2975 and SLF4J-511.

Some of the changes in Log4j 2.16.0 include:

Removed Message Lookups. This is a hardening related to changes made to prevent CVE-2021-44228. While this change is recommended, it is NOT required to fix CVE-2021-44228.
While release 2.15.0 removed the ability to resolve Lookups and log messages and addressed issues with how JNDI is accessed, the Log4j team feels that having JNDI enabled by default introduces an undue risk for our users. Starting in version 2.16.0, JNDI functionality is disabled by default and can be re-enabled via the log4j2.enableJndi system property. Use of JNDI in an unprotected context is a large security risk and should be treated as such in both this library and all other Java libraries using JNDI.
Prior to version 2.15.0, Log4j would automatically resolve Lookups contained in the message or its parameters in the Pattern Layout. This behavior is no longer the default and must be enabled by specifying %msg{lookup}.

The Log4j 2.16.0 API, as well as many core components, maintains binary compatibility with previous releases.

Apache Log4j 2.16.0 requires a minimum of Java 8 to build and run. Log4j 2.12.1 is the last release to support Java 7. Java 7 is no longer supported by the Log4j team.

For complete information on Apache Log4j 2, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Log4j 2 website.

Changes

Fixed

Disable JNDI by default. Require log4j2.enableJndi to be set to true to allow JNDI. (for LOG4J2-3208 by Ralph Goers)
Completely remove support for Message Lookups. (for LOG4J2-3211 by Ralph Goers)