Log4j#Ports
{{Short description|Java-based logging software}}
{{About|the Java logging framework|the 2021 vulnerability affecting Log4j|Log4Shell}}
{{Use mdy dates|date=December 2021}}
{{Use American English|date=December 2021}}
{{Infobox software
| name = Apache Log4j
| logo = 250px
| screenshot =
| caption =
| developer = Apache Software Foundation
| released = {{start date and age|2001|01|08}}{{cite web |url=https://logging.apache.org/log4j/1.2/changes-report.html |title=Apache Log4j 1.2 Release History |author= |website=apache.org |publisher=Apache Software Foundation |access-date=2014-09-02}}
| latest release version = {{wikidata|property|edit|reference|P348}}
| latest release date = {{start date and age|{{wikidata|qualifier|single|P348|P577}}}}{{Cite web |title=Release Notes - Log4j |author= |work=logging.apache.org |date= |access-date=9 October 2023 |url=https://logging.apache.org/log4j/2.x/release-notes/index.html}}
| latest preview version =
| latest preview date =
| operating system = Cross-platform
| repo = {{url|https://github.com/apache/logging-log4j2}}
| programming language = Java
| genre = Logging
| license = Apache License 2.0
| website = {{url|https://logging.apache.org/log4j/2.x/}}
}}
Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü. It is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of several Java logging frameworks.
Gülcü has since created SLF4J, Reload4j,{{cite web|url=http://reload4j.qos.ch/ |title=Reload4j Home |publisher=reload4j.qos.ch |access-date=2022-01-12}} and Logback{{cite web|url=http://logback.qos.ch/ |title=Logback Home |publisher=Logback.qos.ch |access-date=2014-07-24}}{{Better source needed|reason=A secondary source should be found to make a connection between Gulcu and Reload4j and Logback.|date=August 2022}} which are alternatives to Log4j.{{Cite web |last=Grigg |first=Kadi |title=Wicked Good Development - Cybersecurity Experts Talk Log4J, Open Source and More |url=https://blog.sonatype.com/wicked-good-development-episode-1 |access-date=2022-08-16 |website=blog.sonatype.com |date=February 4, 2022 |language=en-us}}
The Apache Log4j team developed Log4j 2{{cite web|date=2014-07-12|title=Log4j 2 Guide - Apache Log4j 2|url=http://logging.apache.org/log4j/2.x/|access-date=2014-07-24|publisher=Logging.apache.org}} in response to the problems of Log4j 1.2, 1.3, java.util.logging
and Logback, addressing issues which appeared in those frameworks.{{Cite web |title=Why was Log4j 2 created? |last=Goers |first=Ralph |website=Ralph Goers |date=15 December 2019 |url= https://www.ralphgoers.com/post/why-was-log4j-2-created}} In addition, Log4j 2 offered a plugin architecture which makes it more extensible than its predecessor. Log4j 2 is not backwards compatible with 1.x versions,{{cite web|url=http://logging.apache.org/log4j/2.x/index.html#News |title=Log4j 2 Guide - Apache Log4j 2: News |publisher=Logging.apache.org |date=2014-07-12 |access-date=2014-07-24}} although an "adapter" is available. On August 5, 2015, the Apache Logging Services Project Management Committee announced that Log4j 1 had reached end of life and that users of Log4j 1 were advised to upgrade to Apache Log4j 2.{{cite web|url=https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces |title=Apache Logging Services Project Announces Log4j 1 End-Of-Life; Recommends Upgrade to Log4j 2 |publisher=blogs.apache.org |date=2015-08-05 |access-date=2016-07-03}} On January 12, 2022, a forked and renamed log4j version 1.2 was released by Ceki Gülcü as Reload4j version 1.2.18.0 with the aim of fixing the most urgent issues in log4j 1.2.17 that had accumulated since its release in 2013.{{cite web|url=https://reload4j.qos.ch |title=Reload4j Project; Easy migration from log4j 1.2.x |publisher=qos.ch |date=2022-01-12 |access-date=2022-01-12}}
On December 9, 2021, a zero-day vulnerability involving arbitrary code execution in Log4j 2 was published by the Alibaba Cloud Security Team and given the descriptor "Log4Shell". It has been characterized by Tenable as "the single biggest, most critical vulnerability of the last decade".
Apache Log4j 2
Apache Log4j 2 is the successor of Log4j 1 which was released as GA version in July 2015. The framework was rewritten from scratch and has been inspired by existing logging solutions, including Log4j 1 and java.util.logging. The main differences{{cite web|url=http://www.grobmeier.de/the-new-log4j-2-0-05122012.html |title=The new log4j 2.0 |publisher=Grobmeier.de |date=2012-12-05 |access-date=2014-07-24}}{{cite web|url=http://logging.apache.org/log4j/2.x/manual/index.html |title=Log4j – Overview - Apache Log4j 2 |publisher=logging.apache.org |date=2016-06-05 |access-date=2016-07-03}} from Log4j 1 are:
- Improved reliability. Messages are not lost while reconfiguring the framework like in Log4j 1 or Logback
- Extensibility: Log4j 2 supports a plugin system to let users define and configure custom components
- Simplified configuration syntax
- Support for xml, json, yaml and properties configurations
- Improved filters
- Property lookup support for values defined in the configuration file, system properties, environment variables, the ThreadContext Map, and data present in the event
- Support for multiple APIs: Log4j 2 can be used with applications using the Log4j 2, Log4j 1.2, SLF4J, Commons Logging and java.util.logging (JUL) APIs.
- Custom log levels
- Java 8-style lambda support for "lazy logging"
- Markers
- Support for user-defined Message objects
- "Garbage-free or low garbage" in common configurations
- Improved speed
- Improved support for Linux
One of the most recognized features of Log4j 2 is the performance of the "Asynchronous Loggers".{{cite web|url=http://logging.apache.org/log4j/2.x/manual/async.html#Performance |title=Log4j 2 Asynchronous Loggers for Low-Latency Logging - Apache Log4j 2 |publisher=Logging.apache.org |date=2014-07-12 |access-date=2014-07-24}} Log4j 2 makes use of the LMAX Disruptor.{{cite web|url=https://lmax-exchange.github.io/disruptor/ |title=Disruptor by LMAX-Exchange |publisher=Lmax-exchange.github.io |access-date=2014-07-24}} The library reduces the need for kernel locking and increases the logging performance by a factor of 12. For example, in the same environment Log4j 2 can write more than 18,000,000 messages per second, whereas other frameworks like Logback and Log4j 1 just write < 2,000,000 messages per second.
Features
= Log4j log levels =
The following table defines the built-in log levels and messages in Log4j, in decreasing order of severity. The left column lists the log level designation in Log4j and the right column provides a brief description of each log level.
class="wikitable" |
scope="col" | Level
! scope="col" | Description |
---|
scope="row" | OFF
| The highest possible rank and is intended to turn off logging. |
scope="row" | FATAL
| Severe errors that cause premature termination. Expect these to be immediately visible on a status console. |
scope="row" | ERROR
| Other runtime errors or unexpected conditions. Expect these to be immediately visible on a status console. |
scope="row" | WARN
| Use of deprecated APIs, poor use of API, 'almost' errors, other runtime situations that are undesirable or unexpected, but not necessarily "wrong". Expect these to be immediately visible on a status console. |
scope="row" | INFO
| Interesting runtime events (startup/shutdown). Expect these to be immediately visible on a console, so be conservative and keep to a minimum. |
scope="row" | DEBUG
| Detailed information on the flow through the system. Expect these to be written to logs only. Generally speaking, most lines logged by your application should be written as DEBUG. |
scope="row" | TRACE
| Most detailed information. Expect these to be written to logs only. Since version 1.2.12.{{cite web|url=http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/Level.html#TRACE |title=Level (Apache Log4j 1.2.17 API) |publisher=Logging.apache.org |date=2012-06-09 |access-date=2014-07-24}} |
==Custom log levels==
Log4j 2 allows users to define their own log levels.{{cite web|url=https://logging.apache.org/log4j/2.x/manual/customloglevels.html |title=Custom Log Levels |publisher=Logging.apache.org |date=2014-07-12 |access-date=2016-07-16}} A source code generator tool is provided to create Loggers that support custom log levels identically to the built-in log levels. Custom log levels can either complement or replace the built-in log levels.
=Log4j configuration=
Log4j can be configured{{cite web|url=https://logging.apache.org/log4j/2.x/manual/configuration.html |title=Configuration |publisher=Logging.apache.org |date=2016-07-05 |access-date=2016-07-16}} through a configuration file or through Java code. Configuration files can be written in XML, JSON, YAML, or properties file format. Three main components can be defined: Loggers, Appenders, and Layouts. Configuring logging via a file has the advantage that logging can be turned on or off without modifying the application that uses Log4j. The application can be allowed to run with logging off until there's a problem, for example, and then logging can be turned back on simply by modifying the configuration file.
Loggers{{cite web|url=https://logging.apache.org/log4j/2.x/manual/architecture.html |title=Architecture|publisher=Logging.apache.org |date=2016-07-05 |access-date=2016-07-16}} are named log message destinations. They are the names that are known to the Java application. Each logger is independently configurable as to what level of logging (FATAL, ERROR, etc.) it currently logs. In early versions of Log4j, these were called category and priority, but now they're called logger and level, respectively. A Logger can send log messages to multiple Appenders.
The actual outputs are done by Appenders.{{cite web|url=https://logging.apache.org/log4j/2.x/manual/appenders.html |title=Appenders|publisher=Logging.apache.org |date=2016-07-05 |access-date=2016-07-16}} There are numerous Appenders available, with descriptive names, such as FileAppender, RollingFileAppender, ConsoleAppender, SocketAppender, SyslogAppender, and SMTPAppender. Log4j 2 added Appenders that write to Apache Flume, the Java Persistence API, Apache Kafka, NoSQL databases, Memory-mapped files, Random Access files{{cite web|url=https://docs.oracle.com/javase/7/docs/api/java/io/RandomAccessFile.html |title=RandomAccessFile|publisher=docs.oracle.com |date=2011-07-28 |access-date=2016-07-16}} and ZeroMQ endpoints. Multiple Appenders can be attached to any Logger, so it's possible to log the same information to multiple outputs; for example to a file locally and to a socket listener on another computer.
Appenders use Layouts{{cite web|url=https://logging.apache.org/log4j/2.x/manual/layouts.html |title=Layouts|publisher=Logging.apache.org |date=2016-07-05 |access-date=2016-07-16}} to format log entries. A popular way to format one-line-at-a-time log files is PatternLayout, which uses a pattern string, much like the C / C++ function printf. There are also HTMLLayout and XMLLayout formatters for use when HTML or XML formats are more convenient, respectively. Log4j 2 added Layouts for CSV, Graylog Extended Log Format (GELF),{{cite web |url=http://docs.graylog.org/en/2.0/pages/gelf.html |title=GELF |publisher=docs.graylog.org |date=2016-06-08 |access-date=2016-07-16 |archive-date=February 9, 2020 |archive-url=https://web.archive.org/web/20200209132812/http://docs.graylog.org/en/2.0/pages/gelf.html |url-status=dead }} JSON, YAML and RFC-5424.{{cite journal|url=https://tools.ietf.org/html/rfc5424 |title=RFC 5424 - The Syslog Protocol|publisher=tools.ietf.org |date=2009-03-01 |doi=10.17487/RFC5424 |access-date=2016-07-16|last1=Gerhards |first1=R. |url-access=subscription }}
In Log4j 2, Filters{{cite web|url=https://logging.apache.org/log4j/2.x/manual/filters.html |title=Filters|publisher=Logging.apache.org |date=2016-07-05 |access-date=2016-07-16}} can be defined on configuration elements to give more fine-grained control over which log entries should be processed by which Loggers and Appenders. In addition to filtering by log level and regular expression matching on the message string, Log4j 2 added burst filters, time filters, filtering by other log event attributes like Markers or Thread Context Map and JSR 223 script filters.
To debug a misbehaving configuration:
- In Log4j 2 configurations set the
status
attribute to TRACE to send internal status logging output to standard out. To enable status logging before the configuration is found, use the Java VM property-Dorg.apache.logging.log4j.simplelog.StatusLogger.level=trace
. - In Log4j 1, use the Java VM property
-Dlog4j.debug
.
To find out where a log4j2.xml configuration file was loaded from inspect getClass().getResource("/log4j2.xml")
.
There is also an implicit "unconfigured" or "default" configuration of Log4j, that of a Log4j-instrumented Java application which lacks any Log4j configuration. This prints to stdout a warning that the program is unconfigured, and the URL to the Log4j web site where details on the warning and configuration may be found. As well as printing this warning, an unconfigured Log4j application will only print ERROR or FATAL log entries to standard out.
==Example for Log4j 2==
==Example for Log4j 1.2 ==
value="%d{ABSOLUTE} %5p %c{1}:%L - %m%n" />
= TTCC =
TTCC is a message format used by log4j.{{cite web|url=http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/TTCCLayout.html |title=TTCCLayout (Apache Log4j 1.2.17 API) |publisher=Logging.apache.org |date=2012-06-09 |access-date=2014-07-24}} TTCC is an acronym for Time Thread Category Component. It uses the following pattern:
%r [%t] %-5p %c %x - %m%n
Where
class="wikitable" |
scope="col" | Mnemonic
! scope="col" | Description |
---|
%r
| Used to output the number of milliseconds elapsed from the construction of the layout until the creation of the logging event. |
%t
| Used to output the name of the thread that generated the logging event. |
%p
| Used to output the priority of the logging event. |
%c
| Used to output the category of the logging event. |
%x
| Used to output the NDC (nested diagnostic context) associated with the thread that generated the logging event.{{cite web |url=http://people.apache.org/~carnold/log4j/docs/org/apache/log4j/NDC.html |title=Class NDC |archive-url=https://web.archive.org/web/20070820182511/http://logging.apache.org/log4j/docs/api/org/apache/log4j/NDC.html |archive-date=2007-08-20 |url-status=live|access-date=2021-12-11}} |
%X{key}
| Used to output the MDC (mapped diagnostic context) associated with the thread that generated the logging event for specified key.{{cite web|url=http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/MDC.html |title=MDC (Apache Log4j 1.2.17 API) |publisher=Logging.apache.org |date=2012-06-09 |access-date=2014-07-24}} |
%m
| Used to output the application supplied message associated with the logging event. |
%n
| Used to output the platform-specific newline character or characters. |
Example output
467 [main] INFO org.apache.log4j.examples.Sort – Exiting main method.
Ports
- log4c – A port for C. Log4C is a C-based logging library, released on SourceForge under the LGPL license. For various Unix operating systems the autoconf and automake files are provided. On Windows a Makefile is provided for use with MSVC. Developers may also choose to use their own make system to compile the source, depending on their build engineering requirements. An instance of the log4c library may be configured via three methods: using environment variables, programmatically, or via XML configuration file. log4c has appenders for Files, Streams and memory mapped files. (No Socket Adapter.) Last version is 1.2.4, released in 2013, and the project is no longer actively developed.{{cite web|url=http://sourceforge.net/projects/log4c/ |title=Logging Framework for C | Free System Administration software downloads at |publisher=Sourceforge.net |access-date=2014-07-24}}
- log4js – A port for JavaScript. Log4js is available under the licence of Apache Software Foundation. One special feature of Log4js is the ability to log the events of the browser remotely on the server. Using Ajax it is possible to send the logging events in several formats (XML, JSON, plain ASCII, etc.) to the server to be evaluated there. The following appenders are implemented for log4js: AjaxAppender, ConsoleAppender, FileAppender, JSConsoleAppender, MetatagAppender, and WindowsEventsAppender. The following Layout classes are provided: BasicLayout, HtmlLayout, JSONLayout, and XMLLayout. Latest version {{As of|2021|lc=y}} was 2.0 of 18 October 2018.{{cite web |url=https://github.com/stritti/log4js |title=stritti/Log4js - The Logging Framework for JavaScript with no runtime dependencies |website=GitHub|date= |author= |access-date= 11 December 2021}}
- log4javascript – Another port for JavaScript. log4javascript is a JavaScript logging framework based on the log4j. The latest version {{As of|2021|lc=y}} was 1.4.13, released on 23 May 2015.{{cite web|url=http://log4javascript.org/ |title=a JavaScript logging framework |publisher=log4javascript |access-date=2021-12-11}}
- JSNLog – A port for JavaScript. Automatically places messages from JavaScript loggers in server side logs using a .NET server side component that interfaces with Log4Net, NLog, Elmah or Common.Logging. This to provide an integrated log for client and server side events. Request ids correlate events related to a specific user. Configuration is via a server side web.config file. Supports exception logging including stack traces. {{As of|2021}} the latest version was 3.0.0 and updates were made regularly.{{cite web |url=http://jsnlog.com/ |title=Logging JavaScript errors to your server side log |publisher=JSNLog |access-date=2021-12-11}}
- Apache Log4net – A port to the Microsoft .NET Framework. The initial work was done by Neoworks and was donated to the Apache Software Foundation in February 2004. The framework is similar to the original log4j while taking advantage of new features in the .NET runtime. Provides Nested Diagnostic Context (NDC) and Mapped Diagnostic Context (MDC). The latest version {{As of|2022|lc=y}} was 2.0.15.{{cite web|url=http://logging.apache.org/log4net/ |title=Apache log4net|publisher=Logging.apache.org |access-date=2021-12-11}}
- log4perl – A Perl port of log4j. Version 1.57 of October 2022 was current {{As of|2024|lc=y}}.{{cite web|url=http://mschilli.github.io/log4perl/ |title=log4perl - log4j for Perl|first1=Mike|last1=Schilli|first2=Kevin|last2=Goess|website=log4perl|access-date=2021-12-11}}
- Apache log4php – "A versatile logging framework for PHP. Originally a port of Apache log4j to PHP, it has grown to include various PHP specific features."{{cite web|url=http://logging.apache.org/|title=Apache Logging Services |publisher=Apache.org |access-date=2015-03-11}}
- PL-SQL-Logging-Utility is an adaptation of log4j in PL/SQL.{{cite web|url=https://github.com/tmuth/Logger---A-PL-SQL-Logging-Utility |title=tmuth/Logger-A-PL-SQL-Logging-Utility — GitHub |publisher=Github.com |access-date=2014-07-24}}
- Log4db2 is a logging utility for DB2 for LUW that uses SQL instructions with SQL PL code.{{cite web|url=https://angoca.github.io/log4db2/ |title=Log4db2 by angoca |publisher=Angoca.github.io |access-date=2014-07-24}}
- Apache Log4cxx – A logging framework for C++ patterned after Apache log4j, which uses Apache Portable Runtime for most platform-specific code and should be usable on any platform supported by APR. The latest version is 0.13.0, released in 2022.{{cite web|title=log4cxx - Changelog|url=https://logging.apache.org/log4cxx/latest_stable/changelog.html|website=logging.apache.org}}
- Log4r – A comprehensive and flexible logging library written in Ruby for use in Ruby programs. It was inspired by and provides much of the features of the Apache Log4j project.{{cite web|title=Log4r Manual|url=http://log4r.rubyforge.org/|publisher=log4r.rubyforge.org|access-date=2017-04-13|url-status=dead|archive-url=https://archive.today/20121225133348/http://log4r.rubyforge.org/|archive-date=2012-12-25}}
Log4Shell vulnerability
{{main|Log4Shell}}
A zero-day vulnerability involving remote code execution in Log4j 2, given the descriptor "Log4Shell" (CVE-2021-44228), was found and reported to Apache by Alibaba on November 24, 2021, and published in a tweet on December 9, 2021.{{Cite web|url=https://www.lawfaremedia.org/article/whats-deal-log4shell-security-nightmare|title=What's the Deal with the Log4Shell Security Nightmare?|date=December 10, 2021|website=Lawfare}} Affected services include Cloudflare, iCloud, Minecraft: Java Edition,{{Cite web|date=10 December 2021|title=Security Vulnerability in Minecraft: Java Edition|url=https://help.minecraft.net/hc/en-us/articles/4416199399693-Security-Vulnerability-in-Minecraft-Java-Edition|website=Minecraft}} Steam, Tencent QQ, and Twitter.{{cite web |url=https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/ |title=Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet |last=Goodin |first=Dan |date=December 9, 2021 |website=Ars Technica |access-date=December 10, 2021 |quote=}}{{cite web |url=https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html |title=Worst Apache Log4j RCE Zero day Dropped on Internet |author= |date=December 9, 2021 |website=Cyber Kendra |access-date=December 10, 2021 |quote=}}{{cite web |url=https://www.pcmag.com/news/countless-serves-are-vulnerable-to-apache-log4j-zero-day-exploit |title=Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit |last=Mott |first=Nathaniel |date=December 10, 2021 |website=PC Magazine |access-date=December 10, 2021 |quote=}} The Apache Software Foundation assigned the maximum CVSS severity rating of 10 to Log4Shell, as millions of servers could be potentially vulnerable to the exploit. The vulnerability was characterized by cybersecurity firm Tenable as "the single biggest, most critical vulnerability of the last decade"{{Cite web|url=https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell|title=Recently uncovered software flaw 'most critical vulnerability of the last decade'|agency=Associated Press|date=December 11, 2021|website=the Guardian}} and Lunasec's Free Wortley characterized it as "a design failure of catastrophic proportions".{{Cite magazine|url=https://www.wired.com/story/log4j-flaw-hacking-internet/|title=The Internet Is on Fire|first=Lily Hay|last=Newman|magazine=Wired |date=10 December 2021|via=www.wired.com}}
In the United States, the director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, termed the exploit "critical" and advised vendors to prioritize software updates,{{Cite web|url=https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability|title=Statement from CISA Director Easterly on "Log4j" Vulnerability|date=2021-12-11|work=CISA|location=Washington}} and the German agency Federal Office for Information Security (BSI) designated the exploit as being at its highest threat level, calling it an "extremely critical threat situation" (translated).{{Cite web|url=https://www.tagesschau.de/inland/bsi-schadsoftware-101.html|title=BSI warnt vor Sicherheitslücke|language=de|trans-title=BSI warns of security vulnerabilities|date=2021-12-12|work=Tagesschau}}{{Cite web
|url=https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2021/211211_log4Shell_WarnstufeRot.html
|title=Warnstufe Rot: Schwachstelle Log4Shell führt zu extrem kritischer Bedrohungslage|language=de
|trans-title=Red alarm: Log4Shell vulnerability causes extremely critical threat situation
|date=2021-12-12|work=BSI press service
}} The Canadian Centre for Cyber Security (CCCS) called on organisations to take on immediate action.{{Cite web|url=https://cyber.gc.ca/en/news/statement-minister-national-defence-apache-vulnerability|title=Statement from the Minister of National Defence on Apache Vulnerability and Call to Canadian Organizations to Take Urgent Action|language=en|date=2021-12-12|work=Government of Canada|access-date=December 12, 2021|archive-date=December 20, 2021|archive-url=https://web.archive.org/web/20211220032436/https://www.cyber.gc.ca/en/news/statement-minister-national-defence-apache-vulnerability|url-status=dead}}
The feature causing the vulnerability could be disabled with a configuration setting, which had been removed{{cite web|title=LOG4J2-3198: Log4j2 no longer formats lookups in messages by default|url=https://github.com/apache/logging-log4j2/commit/001aaada7dab82c3c09cde5f8e14245dc9d8b454|date=2021-12-05|website=GitHub|language=en}} in Log4j version 2.15.0-rc1 (officially released on December 6, 2021, three days before the vulnerability was published), and replaced by various settings restricting remote lookups, thereby mitigating the vulnerability.{{Cite web|title=Restrict LDAP access via JNDI by rgoers · Pull Request #608 · apache/logging-log4j2|url=https://github.com/apache/logging-log4j2/pull/608|date=|website=GitHub|language=en}} 30 November–5 December 2021{{cite web|url=https://logging.apache.org/log4j/2.x/security.html|title=Apache Log4j Security Vulnerabilities|date=2021-12-06}} For additional security, all features using JNDI, on which this vulnerability was based, will be disabled by default, and support for message lookups removed from version 2.16.0 onward.{{cite web|url=https://issues.apache.org/jira/browse/LOG4J2-3208|title=LOG4J2-3208: Disable JNDI by default|date=December 11, 2021|access-date=2021-12-14}}{{cite web|url=https://issues.apache.org/jira/browse/LOG4J2-3211|title=LOG4J2-3211: Remove support for Lookups in messages|date=2021-12-13|access-date=2021-12-14}}
See also
{{Portal|Computer programming|Free and open-source software}}
{{Clear}}
References
{{Reflist|30em}}
Further reading
{{Refbegin}}
- {{Citation
| first1 = Ceki
| last1 = Gülcü
| date = February 2010
| title = The Complete Log4j Manual
| edition = 2nd
| publisher = QOS.ch
| page = 204
| isbn = 978-2-9700369-0-6
}}
- {{Citation
| first1 = Samudra
| last1 = Gupta
| date = June 22, 2005
| title = Pro Apache Log4j
| edition = 2nd
| publisher = Apress
| page = 224
| isbn = 978-1-59059-499-5
}}
{{Refend}}
External links
- {{Official website}}
{{Apache Software Foundation}}
Category:Apache Software Foundation
Category:Free software programmed in Java (programming language)