Log4j Vulnerability Resource Center

FTC Warning in Wake of Log4j: Secure Your Software Supply Chain

Not addressing Log4shell issues are looking at more than downtime or reputation damage. U.S. regulators are considering lawsuits to enforce security.

Read Now

Log4j Exploit Explained - Everything You Need to Know to Protect Yourself

Organizations need to be aware of Log4j not only in the software they produce, but also in the software they use. Any software written in Java is very likely to contain Log4j somewhere in its stack.

Watch Now

Critical Log4j Vulnerability Still Being Downloaded 40% of the Time

Sonatype's Java and Apache Software Foundation experts give another update on how the Log4j exploit is evolving, the number of variants we're seeing and share new trends in Log4j downloads.

Watch Now

Nexus Vulnerability Scanner

Produce a Software Bill of Materials and catalog all of the components in your application.

SCAN NOW

Sonatype Lift

Find and fix critical security, performance, reliability, and style issues in developer code.

TRY FOR FREE

OSS Index

Detect publicly disclosed vulnerabilities contained within your project’s dependencies

LEARN MORE

Sonatype Updates

BLOG

Critical New 0-day Vulnerability in Popular Log4j Library Discovered

Read Now

ARTICLE

Log4Shell Help for Central Publishers

Read Now

BLOG

Helping The Open Source Community Find, Fix, and Remediate Log4j

Read Now

VIDEO

Dissecting the Log4j Vulnerability

Watch Now

All Log4j, logback bugs we know so far and why you MUST ditch 2.15

ARTICLE

Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS

Read Now

Video

Critical New 0-day Vulnerability in Popular Log4j Library Affecting Applications in Mass

Watch Now

FORUM

Sonatype Log4j Community Forum

Join Now

VIDEO

Find and Fix Log4j with Sonatype

Read Now

CVE-2021-44228 (Critical):

Original log4j CVE that started it all. Impacts “org.apache.logging.log4j.log4j-core” versions 2.x only: <2.15.0 affected.

Less severe variant of CVE-2021-44228 impacting log4j 1.x only. Impacts all versions of a different group/artifact altogether: “log4j:log4j.” Not applicable to “log4j-core” (those are 2.x versions).

CVE-2021-44228 (Critical):

Original log4j CVE that started it all. Impacts “org.apache.logging.log4j.log4j-core” versions 2.x only: <2.15.0 affected.

CVE-2021-4104 (Moderate):

CVE-2021-45046 (HIGH):

DoS vulnerability impacting log4j-core version <=2.15.0 but not 2.16.0.

Sonatype-2021-4517 aka CVE-2021-42550 (Moderate):

Similar to CVE-2021-4104, but impacts “logback-classic,” and “logback-core,” as logback is based off of log4j 1.x. Sonatype ID is based on this issue: https://jira.qos.ch/browse/LOGBACK-1591

CVE-2021-45046 (HIGH):

DoS vulnerability impacting log4j-core version <=2.15.0 but not 2.16.0.

Sonatype-2021-4517 aka CVE-2021-42550 (Moderate):

Similar to CVE-2021-4104, but impacts “logback-classic,” and “logback-core,” as logback is based off of log4j 1.x. Sonatype ID is based on this issue: https://jira.qos.ch/browse/LOGBACK-1591

Sonatype-2021-4560 (High):

Applies to log4j 2.x versions until and including 2.15.0. Fixed version to be on is 2.16.0. Vulnerability based on Praetorian’s blog. Summed up more stuff in this news report. Currently under Fast-Track as full disclosure is pending with Apache. More details will be released in due course of time.

Software composition analysis

Container Security

CODE QUALITY ANALYSIS

Repository MANAGEMENT

Complete Platform

Book a Demo

For Professionals

For Industries

Content

CUSTOMER Portal

Integrations & Free Tools

About us

Contact Us

Log4j Exploit Updates

As the stewards of Maven Central, our teams are working around the clock to ensure that the world has reliable and fast access to the latest Log4shell fixes.

Log4j Download Dashboard

4,588,330

36% (10,564)

4,588,330

36% (10,564)

Latest Insights

FTC Warning in Wake of Log4j: Secure Your Software Supply Chain

Log4j Exploit Explained - Everything You Need to Know to Protect Yourself

Critical Log4j Vulnerability Still Being Downloaded 40% of the Time

Free Tools to Help You Now

Nexus Vulnerability Scanner

Sonatype Lift

OSS Index

“This new Log4j vulnerability is likely going to be another “flashbulb memory” event in the timeline of significant vulnerabilities. It is the most widely used logging framework in the Java ecosystem.”

—Brian Fox, Sonatype CTO in The Daily Swig

Sonatype Updates

BLOG

Critical New 0-day Vulnerability in Popular Log4j Library Discovered

ARTICLE

Log4Shell Help for Central Publishers

BLOG

Helping The Open Source Community Find, Fix, and Remediate Log4j

VIDEO

Dissecting the Log4j Vulnerability

ARTICLE

Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS

Video

Critical New 0-day Vulnerability in Popular Log4j Library Affecting Applications in Mass

FORUM

Sonatype Log4j Community Forum

VIDEO

Find and Fix Log4j with Sonatype

Have questions about Log4j? Ask the Sonatype community.

Have questions about Log4j? Ask the Sonatype community.

Sonatype Documentation & Research

“This is akin to someone figuring out mailing a letter into your post box with a specific address written on it allows them to open all your doors in your house.”

—Brian Fox, Sonatype CTO in BBC

Resources from around the Software Community

The Log4shell CVE from Mitre

Apache Foundation’s Log4j page with details

The Log4shell CVE from Mitre

Apache Foundation’s Log4j page with details

List of Affected Software compiled by Netherlands National Cybersecurity Center

Gartner Article for security leaders

List of Affected Software compiled by Netherlands National Cybersecurity Center

Gartner Article for security leaders

Products

Free Tools

Solutions

Resources

Customer Portal

Company