Synced 17 Jun 2026 06:32 UTC Account

Is Apache Log4j 2.3.2 patched?

Apache · cycle 2.3 · end of life · Official site ↗
2.3.220/100Critical · exploited

Current stable (2.26.0): 100/100

Minimum safe version2.25.4

2.3.2 has 3 open critical-or-high vulnerabilities. Run 2.25.4 or later to clear them. See what 2.25.4 fixes →

1 of the vulnerability affecting 2.3.2 is linked to ransomware campaigns (CISA KEV) — prioritise patching.
Health score20/100
Open issues4
Exploited now1
Cycle 2.3 EOL2015-09-20
Latest release2.26.0

Summary iPlain-English security status for Apache Log4j 2.3.2, built from its CVEs, active-exploitation data, end-of-life date and latest release.

Apache Log4j 2.3.2 is part of the 2.3 release line. 1 actively-exploited vulnerability affects it (CISA KEV). 1 is linked to ransomware campaigns (CISA KEV). The minimum safe version is 2.25.4 — upgrade to it or later to clear the open critical/high issues. The 2.3 line reached end-of-life on 2015-09-20, so it no longer receives security patches. The latest supported Apache Log4j release is 2.26.0.

Known issues affecting 2.3.2

Exploited first, then by exploitation probability.

CVE-2021-45046 CRITICAL exploited ransomware EPSS 100% → fixed in 2.16.0 CVE-2017-5645 CRITICAL EPSS 89% → fixed in 2.8.2 CVE-2026-34480 HIGH EPSS 1% → fixed in 2.25.4 CVE-2025-68161 MEDIUM EPSS 1% → fixed in 2.25.3

Other Apache Log4j versions

Check another release line of Apache Log4j.

Apache Log4j 2.26.0Apache Log4j 2.12.4Apache Log4j 1.2.17

Frequently asked

Is Apache Log4j 2.3.2 patched?

No — 1 actively-exploited vulnerability affects Apache Log4j 2.3.2. Upgrade to at least 2.25.4.

What version should I upgrade Apache Log4j 2.3.2 to?

Upgrade Apache Log4j 2.3.2 to at least 2.25.4 to clear its 3 open critical-or-high vulnerabilities.

When does Apache Log4j 2.3 reach end-of-life?

Apache Log4j 2.3 reached end-of-life on 2015-09-20 and no longer receives security patches.

What is the latest version of Apache Log4j?

The latest supported Apache Log4j release is 2.26.0.

Is Apache Log4j 2.3.2 still receiving security updates?

No — Apache Log4j 2.3.2 is on the 2.3 line, which reached end-of-life on 2015-09-20 and no longer receives security updates. Upgrade to 2.26.0 or later to stay supported.

Informational only, from public data (NVD · CISA KEV · EPSS · endoflife.date), and can lag or miss vendor-specific fixes. Always confirm against Apache's official advisory before you patch or upgrade — Apache Log4j official site ↗