Log4Shell (CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105)

vulnerability Dec 15, 2021
Details of this blog have been updated as of 14:00 on 18 December 2021 and are currently correct and up to date at the time of this update.

In December 2021 a vulnerability termed Log4Shell was public disclosed. Initially there was only CVE-2021-44228 associated with it, but it later transpired that the fix for this CVE did not fix all issues and thus CVE-45046 is also associated with it. Recently CVE-2021-45105 was identified and has now been fixed in version 2.17.0.

Affected Versions

This only affects log4j-core, if you are using log4j-api without log4j-core, you are not vulnerable. However if you are using both you will need to ensure both versions are the same otherwise you will get errors.

  • log4j-core <= 2.14.1: CVE-2021-44228 (High Risk)
    • CVSS 10: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    • Remote Code Execution (RCE)
  • log4j-core = 2.15.0: CVE-2021-45046 (Low Risk)
    * CVSS 3.7: 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
    • 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
    • Remove Code Excution (RCE) but only with customised logging configuration
  • log4j-core <= 2.16.0 (excluding 2.12.13): CVE-2021-45105 (Low Risk)
    • 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
    • Denial of Service (DOS) but only with customised logging configuration
  • log4j = 1.x: CVE-2021-44228 (only if JMSAppender configured)


  • log4j-core <= 2.14.1: Update to version 2.17.0
  • log4j-core = 2.15.0: Update to version 2.16.0 if and when you can, this only represents a minor severity in terms of a denial of service risk in specific situations Update to version 2.17.0
  • log6j-core = 2.16.0: Update to version 2.17.0
  • Where updating is not possible, remove the class JndiLookup from the library: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Previous advice was given to set the property formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS, this is not longer deemed appropriate. The same goes for the configuration %m{nolookups}, %msg{nolookups} or %message{nolookups}.

You can get the full details from the official Apache security advisory.


Sean Wright

Lead Application Security SME at Immersive Labs with an origin as a software developer. Primarily focused on web based application security with a special interest in TLS related subjects.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.