The Apache Logging Services Security Team takes security seriously. This allows our users to place their trust in Log4j for protecting their mission-critical data. In this page we will help you find guidance on security-related issues and access to known vulnerabilities.
If you need help on building or configuring any logging component such as Log4j or other help on following the instructions to mitigate the known vulnerabilities listed here, please use our user support channels.
If you need to apply a source code patch, use the building instructions for the Log4j version that you are using.
These instructions can be found in
If you have encountered an unlisted security vulnerability or other unexpected behaviour that has a security impact, or if the descriptions here are incomplete, please report them privately to the Logging Services Security Team.
The threat model that Log4j uses considers configuration files as safe input controlled by the programmer; potential vulnerabilities that require the ability to modify a configuration are not considered vulnerabilities as the required access to do so implies the attacker can execute arbitrary code.
Vulnerability handling policy
The Apache Logging Services Security Team follows the ASF Project Security guide for handling security vulnerabilities.
Vulnerability Disclosure Report (VDR)
Starting with version
2.22.0, Log4j distributes CycloneDX Software Bill of Materials (SBOM) along with each deployed artifact.
Produced SBOMs contain BOM-links referring to a CycloneDX Vulnerability Disclosure Report (VDR) that Apache Logging Services uses for all projects it maintains.
All this is streamlined by
logging-parent, see its website for details.