Skip Navigation
Book a Demo
Book a Demo

Log4j exploit
updates

At the heart of the digital landscape, security is paramount.
In the wake of the Log4j exploit, our commitment to
safeguarding the online world has never been stronger.
As the stewards of Maven Central, our teams are
working around the clock to ensure that the world has
reliable and fast access to the latest Log4shell fixes.

In this digital age where data breaches, vulnerabilities, and
malware are a fairly common occurrence, our mission
is clear: to provide you with the tools and information needed to
fortify your digital defenses. Explore this page to stay updated on
the latest Log4j exploit developments, access critical fixes, and
empower yourself with the knowledge to protect your digital assets.

Log4j download dashboard

Log4j_Public_2021-12-18T0052 2
 

Insights for innovators

GettyImages-1298133977
BLOG POST

FTC Warning in Wake of Log4j: Secure Your Software Supply Chain

Not addressing Log4shell issues are looking at more than downtime or reputation damage. U.S. regulators are considering lawsuits to enforce security.
Read More
Log4j Video Preview 2
WEBINAR

Log4j Exploit Explained - Everything You Need to Know to Protect Yourself

Organizations need to be aware of Log4j not only in the software they produce, but also in the software they use. Any software written in Java is very likely to contain Log4j somewhere in its stack.
Read More
image3-3
MEDIA HIT

Critical Log4j Vulnerability Still Being Downloaded 40% of the Time

Sonatype's Java and Apache Software Foundation experts give another update on how the Log4j exploit is evolving, the number of variants we're seeing and share new trends in Log4j downloads. 
Watch Now
 

Free tools to help you now

Vulnerability- Scanner-icon-only-White + Color

Sonatype Vulnerability Scanner

Produce a Software Bill of Materials and catalog all of the components in your application.

Scan Now
OWASP-icon

OSS Index

Detect publicly disclosed vulnerabilities contained within your project’s dependencies

Learn More
“This new Log4j vulnerability is likely going to be another “flashbulb memory” event in the timeline of significant vulnerabilities. It is the most widely used logging framework in the Java ecosystem.”
Brian Fox
SONATYPE CTO IN THE DAILY SWING
hdr_logo
Read Article
 

Sonatype updates

Log4j-Blog-Latest-Updates-1
BLOG

Critical New 0-day Vulnerability in Popular Log4j Library Discovered

Read Now
Log4j Video Preview 3
ARTICLE

Log4Shell Help for Central Publishers

Read Now
article-community-log4j-blog-v3
BLOG

Helping The Open Source Community Find, Fix, and Remediate Log4j

Read Now
Webinar-Thumbnail-Dissecting-Log4j
VIDEO

Dissecting the Log4j Vulnerability

Watch Now
Log4j-thumbnail-Bleepingcomputer
ARTICLE

Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS

Read Now
Group 2684
VIDEO

Critical New 0-day Vulnerability in Popular Log4j Library Affecting Applications in Mass

Watch Now
Community-Log4j-info-thumbnail
FORUM

Sonatype Log4j Community Forum

Join Now
Log4j Video Preview 4
VIDEO

Find and Fix Log4j with Sonatype

Watch Now

Have questions about Log4j?

Ask the Sonatype Community

Sonatype documentation & research

CRITICAL

CVE-2021-44228

Original log4j CVE that started it all. Impacts “org.apache.logging.log4j.log4j-core” versions 2.x only: <2.15.0 affected.
MODERATE

CVE-2021-4104

Less severe variant of CVE-2021-44228 impacting log4j 1.x only. Impacts all versions of a different group/artifact altogether: “log4j:log4j.” Not applicable to “log4j-core” (those are 2.x versions).
HIGH

CVE-2021-45046

DoS vulnerability impacting log4j-core version <=2.15.0 but not 2.16.0.
MODERATE

SONATYPE-2021-4517 AKA CVE-2021-42550

Similar to CVE-2021-4104, but impacts “logback-classic,” and “logback-core,” as logback is based off of log4j 1.x. Sonatype ID is based on this issue.
HIGH

SONATYPE-2021-4560

Applies to log4j 2.x versions until and including 2.15.0. Fixed version to be on is 2.16.0. Vulnerability based on Praetorian’s blog. Summed up more stuff in this news report. Currently under Fast-Track as full disclosure is pending with Apache. More details will be released in due course of time.
"This is akin to someone figuring out mailing a letter into your post box with a specific address written on it allows them to open all your doors in your house.”
Brian Fox
Sonatype CTO in BBC
hdr_logo
Read Article
 

Resources from around the software community

Gartner
Article for Security Leaders
Netherlands National Cybersecurity Center
List of Affected Software
Apache Foundation
Log4j Page with Details
Mitre
Article for Security Leaders

Protect your software from Log4j

Book a Demo