Is Apache Log4j 2.12.4 patched?
Current stable (2.26.0): 100/100
2.12.4 has 2 open critical-or-high vulnerabilities. Run 2.25.4 or later to clear them. See what 2.25.4 fixes →
Summary iPlain-English security status for Apache Log4j 2.12.4, built from its CVEs, active-exploitation data, end-of-life date and latest release.
Apache Log4j 2.12.4 is part of the 2.12 release line. 4 known vulnerabilities affect it. The minimum safe version is 2.25.4 — upgrade to it or later to clear the open critical/high issues. The 2.12 line reached end-of-life on 2021-12-14, so it no longer receives security patches. The latest supported Apache Log4j release is 2.26.0.
Known issues affecting 2.12.4
Exploited first, then by exploitation probability.
CVE-2026-34480 HIGH EPSS 1% → fixed in 2.25.4 CVE-2025-68161 MEDIUM EPSS 1% → fixed in 2.25.3 CVE-2026-34479 HIGH EPSS 1% → fixed in 2.25.4 CVE-2026-34477 MEDIUM EPSS 0% → fixed in 2.25.4Other Apache Log4j versions
Check another release line of Apache Log4j.
Frequently asked
Is Apache Log4j 2.12.4 patched?
Apache Log4j 2.12.4 is end-of-life and no longer receives security patches. Move to 2.26.0.
What version should I upgrade Apache Log4j 2.12.4 to?
Upgrade Apache Log4j 2.12.4 to at least 2.25.4 to clear its 2 open critical-or-high vulnerabilities.
When does Apache Log4j 2.12 reach end-of-life?
Apache Log4j 2.12 reached end-of-life on 2021-12-14 and no longer receives security patches.
What is the latest version of Apache Log4j?
The latest supported Apache Log4j release is 2.26.0.
Is Apache Log4j 2.12.4 still receiving security updates?
No — Apache Log4j 2.12.4 is on the 2.12 line, which reached end-of-life on 2021-12-14 and no longer receives security updates. Upgrade to 2.26.0 or later to stay supported.
Informational only, from public data (NVD · CISA KEV · EPSS · endoflife.date), and can lag or miss vendor-specific fixes. Always confirm against Apache's official advisory before you patch or upgrade — Apache Log4j official site ↗