The Apache Logging Services Security Team takes security seriously. This allows our users to place their trust in Log4j for protecting their mission-critical data. In this page we will help you find guidance on security-related issues and access to known vulnerabilities.


Log4j 1 has reached End of Life in 2015, and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1 are not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.

Getting support

If you need help on building or configuring any logging component such as Log4j or other help on following the instructions to mitigate the known vulnerabilities listed here, please use our user support channels.


If you need to apply a source code patch, use the building instructions for the Log4j version that you are using. These instructions can be found in distributed with the sources.

Reporting vulnerabilities

If you have encountered an unlisted security vulnerability or other unexpected behaviour that has a security impact, or if the descriptions here are incomplete, please report them privately to the Logging Services Security Team.


The threat model that Log4j uses considers configuration files as safe input controlled by the programmer; potential vulnerabilities that require the ability to modify a configuration are not considered vulnerabilities as the required access to do so implies the attacker can execute arbitrary code.

Vulnerability handling policy

The Apache Logging Services Security Team follows the ASF Project Security guide for handling security vulnerabilities.

Reported security vulnerabilities are subject to voting (by means of lazy approval, preferably) in the private security mailing list before creating a CVE and populating its associated content. This procedure involves only the creation of CVEs and blocks neither (vulnerability) fixes, nor releases.

Vulnerability Disclosure Report (VDR)

Starting with version 2.22.0, Log4j distributes CycloneDX Software Bill of Materials (SBOM) along with each deployed artifact. Produced SBOMs contain BOM-links referring to a CycloneDX Vulnerability Disclosure Report (VDR) that Apache Logging Services uses for all projects it maintains. All this is streamlined by logging-parent, see its website for details.