=================================================================== CERT-Renater Note d'Information No. 2021/VULN675 _____________________________________________________________________ DATE : 30/12/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running log4j-api (maven), log4j-core maven) versions prior to 2.17.1, 2.12.4, et 2.3.2.. ====================================================================http://mail-archives.us.apache.org/mod_mbox/logging-log4j-user/202112.mbox/browser _____________________________________________________________________ The Apache Log4j 2 team is pleased to announce the Log4j 2.12.4 release! Apache Log4j is a well known framework for logging application behavior. Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many other modern features such as support for Markers, lambda expressions for lazy logging, property substitution using Lookups, multiple patterns on a PatternLayout and asynchronous Loggers. Another notable Log4j 2 feature is the ability to be "garbage-free" (avoid allocating temporary objects) while logging. In addition, Log4j 2 will not lose events while reconfiguring. The artifacts may be downloaded from https://logging.apache.org/log4j/log4j-2.12.4/download.html. This release contains the changes noted below: • Address CVE-2021-44832. This release addresses CVE-2021-44832 for users still using Java 7. The Log4j 2.12.4 API, as well as many core components, maintains binary compatibility with previous releases. GA Release 2.12.4 Changes in this version include: Fixed Bugs • LOG4J2-3293: JdbcAppender now uses JndiManager to access JNDI resources. JNDI is only enabled when system property log4j2.enableJndiJdbc is set to true. Apache Log4j 2.12.4 requires a minimum of Java 7 to build and run. Log4j 2.3 was the last release that supported Java 6. Basic compatibility with Log4j 1.x is provided through the log4j-1.2-api component, however it does not implement some of the very implementation specific classes and methods. The package names and Maven groupId have been changed to org.apache.logging.log4j to avoid any conflicts with log4j 1.x. For complete information on Apache Log4j 2, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Apache Log4j 2 website: https://logging.apache.org/log4j/2.12.4/index.html ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================