The Apache Log4j 2 team is pleased to announce the Log4j 2.12.2 release! Apache Log4j is a well known framework for logging application behavior. Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many other modern features such as support for Markers, lambda expressions for lazy logging, property substitution using Lookups, multiple patterns on a PatternLayout and asynchronous Loggers. Another notable Log4j 2 feature is the ability to be "garbage-free" (avoid allocating temporary objects) while logging. In addition, Log4j 2 will not lose events while reconfiguring.
The 2.12.2 artifacts for Java 7 may be downloaded from https://logging.apache.org/log4j/log4j-2.12.2/download.html This release contains changes addressing only CVE-2021-44228 and CVE-2021-45046 for users still using Java 7: * Removed Message Lookups in PatternLayout. "%m{lookup}", "%m{nolookup}", and variants will still be accepted as conversion patterns, but have no effect. * Disabled JNDI by default and only allowing "java" protocol when enabled. * Made JNDI Lookup inoperable and removed the message Lookup capability. The Log4j 2.12.2 API, as well as many core components, maintains binary compatibility with previous releases. This version is recommended as an upgrade. ________________________________ Apache Log4j 2.12.2 requires a minimum of Java 7 to build and run. Log4j 2.16.0 is the most recent Log4j release and users are encouraged to upgrade this version, if possible. Java 7 is no longer supported by the Log4j team. For complete information on Apache Log4j 2, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Apache Log4j 2 website: Site: https://logging.apache.org/log4j/2.x/ Main download page: https://logging.apache.org/log4j/2.x/download.html
