Apache Log4j ↗

Apache · Dev / Logging

Track your version:Monitors Apache Log4j and tailors your dashboard to that exact version.

2.26.0 · latest cycle100/100 Healthy

Summary iPlain-English security verdict for Apache Log4j, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.

Apache Log4j currently scores 100/100 — healthy. 2 actively-exploited vulnerabilities (CISA KEV) affect older releases (e.g. CVE-2021-44228) — staying on the latest supported version keeps you clear of them. The latest supported release is 2.26.0. It's on the latest patch with no significant known issues — keep it current.

Disclosure trend iNew CVEs published for Apache Log4j each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.

'19

'20

'21

'22

'23

'24

'25

'26

2 of its known vulnerabilities are linked to ransomware campaigns (CISA KEV).

Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.

Most urgent first — actively exploited, then likeliest to be exploited.

CVE-2021-44228 CRITICAL exploited ransomware Improper input validation EPSS 100% → fixed in 2.15.0 CVE-2021-45046 CRITICAL exploited ransomware CWE-917 EPSS 100% → fixed in 2.16.0 CVE-2021-45105 MEDIUM Improper input validation EPSS 100% → fixed in 2.12.3 CVE-2021-44832 MEDIUM Improper input validation EPSS 98% → fixed in 2.17.1 CVE-2017-5645 CRITICAL Insecure deserialization EPSS 89% → fixed in 2.8.2 CVE-2021-4104 HIGH Insecure deserialization EPSS 81% → see advisory CVE-2019-17571 CRITICAL Insecure deserialization EPSS 69% → see advisory CVE-2022-23305 CRITICAL SQL injection EPSS 67% → see advisory CVE-2022-23302 HIGH Insecure deserialization EPSS 62% → see advisory CVE-2022-23307 HIGH Insecure deserialization EPSS 52% → fixed in 2.0 CVE-2020-9493 CRITICAL Insecure deserialization EPSS 5% → fixed in 2.0

See all 19 known Apache Log4j CVEs & security history →

Get alerted about Apache Log4j

Be emailed the moment Apache Log4j gets a newly exploited vulnerability (CISA KEV) or a release reaches end of life. Free · double opt-in · unsubscribe anytime.

We email only on real events for Apache Log4j — no marketing, no sharing, and we never know what you run. Track your whole stack →

Versions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.

How long each Apache Log4j release line is supported — and when it sunsets. Select a line for its full report.

Dec14'21 Apache Log4j 2.12ended 2021-12-14

Oct15'15 Apache Log4j 1ended 2015-10-15

Sept20'15 Apache Log4j 2.3ended 2015-09-20

Full Apache Log4j end-of-life dates & support timeline →

2 latest 2.26.0 Supported 2.26.0 → 2.12 latest 2.12.4 End of life ended 2021-12-142.12.4 → 2.3 latest 2.3.2 End of life ended 2015-09-202.3.2 → 1 latest 1.2.17 End of life ended 2015-10-151.2.17 → See all upcoming end-of-life dates →

Frequently asked

Is Apache Log4j safe and patched?

What should I do about Apache Log4j now?

Upgrade Apache Log4j to the latest supported release (2.26.0) or later, which clears the actively-exploited issues affecting older versions, then confirm against Apache's official advisory.

When does Apache Log4j reach end-of-life?

The latest supported Apache Log4j release is 2.26.0. After end-of-life a release no longer receives security patches.

Which versions of Apache Log4j are still receiving security updates?

Supported Apache Log4j release lines (latest 2.26.0): 2. End-of-life releases no longer receive security patches.

Informational only, from public data (NVD · CISA KEV · EPSS · endoflife.date), and can lag or miss vendor-specific fixes. Always confirm against Apache's official advisory before you patch or upgrade — Apache Log4j official site ↗