Apache Logging Services™

Security

The Apache Logging Services Security Team takes security seriously. This allows our users to place their trust in Log4j for protecting their mission-critical data. In this page we will help you find guidance on security-related issues and access to known vulnerabilities.

Warning

Log4j 1 has reached End of Life in 2015, and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1 are not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.

Getting support

If you need help on building or configuring any logging component such as Log4j or other help on following the instructions to mitigate the known vulnerabilities listed here, please use our user support channels.

Tip

If you need to apply a source code patch, use the building instructions for the Log4j version that you are using. These instructions can be found in BUILDING.md distributed with the sources.

Reporting vulnerabilities

If you have encountered an unlisted security vulnerability or other unexpected behaviour that has a security impact, or if the descriptions here are incomplete, please report them privately to the Logging Services Security Team.

Warning

The threat model that Log4j uses considers configuration files as safe input controlled by the programmer; potential vulnerabilities that require the ability to modify a configuration are not considered vulnerabilities as the required access to do so implies the attacker can execute arbitrary code.

Vulnerability handling policy

The Apache Logging Services Security Team follows the ASF Project Security guide for handling security vulnerabilities.

Reported security vulnerabilities are subject to voting (by means of lazy approval, preferably) in the private security mailing list before creating a CVE and populating its associated content. This procedure involves only the creation of CVEs and blocks neither (vulnerability) fixes, nor releases.

Vulnerability Disclosure Report (VDR)

Starting with version 2.22.0, Log4j distributes CycloneDX Software Bill of Materials (SBOM) along with each deployed artifact. Produced SBOMs contain BOM-links referring to a CycloneDX Vulnerability Disclosure Report (VDR) that Apache Logging Services uses for all projects it maintains. All this is streamlined by logging-parent, see its website for details.

Copyright © 2017-2023 The Apache Software Foundation. Licensed under the Apache Software License, Version 2.0 Please read our privacy policy.

Apache, Chainsaw, log4cxx, Log4j, Log4net, log4php and the Apache feather logo are trademarks or registered trademarks of The Apache Software Foundation. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.