Is Apache Log4j 1.2.17 patched?
Current stable (2.26.0): 100/100
1.2.17 has 6 open critical-or-high vulnerabilities. Run 2.25.4 or later to clear them. See what 2.25.4 fixes →
Summary iPlain-English security status for Apache Log4j 1.2.17, built from its CVEs, active-exploitation data, end-of-life date and latest release.
Apache Log4j 1.2.17 is part of the 1.2 release line. 6 known vulnerabilities affect it. The minimum safe version is 2.25.4 — upgrade to it or later to clear the open critical/high issues. The latest supported Apache Log4j release is 2.26.0.
Known issues affecting 1.2.17
Exploited first, then by exploitation probability.
CVE-2019-17571 CRITICAL EPSS 69% → see advisory CVE-2022-23305 CRITICAL EPSS 67% → see advisory CVE-2022-23302 HIGH EPSS 62% → see advisory CVE-2022-23307 HIGH EPSS 52% → fixed in 2.0 CVE-2020-9493 CRITICAL EPSS 5% → fixed in 2.0 CVE-2023-26464 HIGH EPSS 2% → fixed in 2.0Other Apache Log4j versions
Check another release line of Apache Log4j.
Frequently asked
Is Apache Log4j 1.2.17 patched?
Apache Log4j 1.2.17 has 6 open critical-or-high vulnerabilities. The minimum safe version is 2.25.4 — upgrade to 2.25.4 or later to clear them.
What version should I upgrade Apache Log4j 1.2.17 to?
Upgrade Apache Log4j 1.2.17 to at least 2.25.4 to clear its 6 open critical-or-high vulnerabilities.
What is the latest version of Apache Log4j?
The latest supported Apache Log4j release is 2.26.0.
Is Apache Log4j 1.2.17 still receiving security updates?
Yes — the 1.2 line is still supported and receiving security updates. The latest release is 2.26.0.
Informational only, from public data (NVD · CISA KEV · EPSS · endoflife.date), and can lag or miss vendor-specific fixes. Always confirm against Apache's official advisory before you patch or upgrade — Apache Log4j official site ↗