Apache Log4j 2.16.0 Released – New Features, Security Fixes, and Upgrade Guidance

Apache Log4j 2.16.0 is now available. The Apache Log4j 2 team announces the release of version 2.16.0.

You can download the artifacts from https://logging.apache.org/log4j/2.x/download.html .

This version includes several notable changes.

Due to a compatibility break in SLF4J bindings, Log4j now provides two versions of the SLF4J‑to‑Log4j adapter:

log4j-slf4j-impl for SLF4J 1.7.x and earlier versions;

log4j-slf4j18-impl for SLF4J 1.8.x and newer versions. The SLF4J‑2.0.0 alpha release is not fully supported yet.

For detailed information, see the issues LOG4J2-2975 and SLF4J-511 .

Some changes

Message Lookups have been removed to strengthen protection against CVE‑2021‑44228; this removal is not required to fix that CVE.

Although version 2.15.0 removed JNDI handling, the Log4j team considers JNDI enabled by default a security risk. Starting with version 2.16.0, JNDI is disabled by default and can be re‑enabled via the system property log4j2.enableJndi . Using JNDI in an unprotected context poses a significant security risk.

Prior to version 2.15.0, Log4j automatically resolved Lookups in messages or parameters within Pattern Layout. This behavior is no longer the default and must be explicitly enabled with %msg{lookup} .

Strongly recommend upgrading to 2.16.0.

Bug fixes

LOG4J2-3208: JNDI is disabled by default; to allow JNDI, set log4j2.enableJndi to true . LOG4J2-3211: Complete removal of message lookup support.

Apache Log4j 2.16.0 requires at least Java 8 to build and run. Log4j 2.12.1 is the last version that supports Java 7, which is not a long‑term supported version by the Log4j team.

For complete information about Apache Log4j 2, including how to submit bug reports, patches, or improvement suggestions, visit the Apache Log4j 2 website:

https://logging.apache.org/log4j/2.x/