2.17.0 (2021-12-17)

The major changes contained in this release include:

  • Address CVE-2021-45105 by disabling recursive evaluation of Lookups during log event processing. Recursive evaluation is still allowed while generating the configuration.

  • The JndiLookup, JndiContextSelector, and JMSAppender now require individual system properties to be enabled.

  • Remove LDAP and LDAPS as supported protocols from JNDI.

The single log4j2.enableJndi property introduced in Log4j 2.16.0 has been replaced with three individual properties; log4j2.enableJndiContextSelector, log4j2.enableJndiJms, and log4j2.enableJndiLookup.

The Log4j 2.17.0 API, as well as many core components, maintains binary compatibility with previous releases.

Apache Log4j 2.17.0 requires a minimum of Java 8 to build and run. Log4j 2.12.2 is the last release to support Java 7. Java 7 is no longer supported by the Log4j team.

For complete information on Apache Log4j 2, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Log4j 2 website.



  • Fix string substitution recursion. (for LOG4J2-3230 by Carter Kozak)

  • Log4j 1.2 bridge API hard codes the Syslog protocol to TCP. (for LOG4J2-3237 by Gary Gregory)

  • Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it causes problems with the Maven enforcer plugin. (for LOG4J2-3241 by Ralph Goers)

  • Limit JNDI to the java protocol only. JNDI will remain disabled by default. Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'. (for LOG4J2-3242 by Ralph Goers)

  • PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters. (for LOG4J2-3247 by Gary Gregory)

  • Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514. (for LOG4J2-3249 by Gary Gregory)