Apache Log4j 2.17.0 Release Fixes CVE‑2021‑45105 and Other Vulnerabilities

Apache Log4j 2.17.0 version has been officially released, fixing the third discovered security vulnerability CVE‑2021‑45105.

Versions 2.0‑alpha1 through 2.16.0 allowed uncontrolled recursive self‑referential lookups. When a non‑default Pattern Layout with Context Lookup (e.g., $${ctx:loginId}) was used, an attacker could supply malicious input that triggered recursive lookups, causing a StackOverflowError and terminating the process – a denial‑of‑service (DoS) attack.

Starting with version 2.17.0 (for Java 8), only lookup strings that appear in the configuration are recursively expanded; in all other contexts only the top‑level lookup is resolved, and nested lookups are not processed.

For earlier versions, the issue can be mitigated by ensuring your logging configuration does the following:

In the PatternLayout of the logging configuration, replace Context Lookups such as ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).

Otherwise, remove any references to ${ctx:loginId} or similar Context Lookups from the configuration; these values often originate from external sources such as HTTP headers or user input.

The specific updates in version 2.17.0 include:

Fix for recursive string replacement (LOG4J2‑3230).

JNDI limited to the java protocol; JNDI remains disabled by default. The enableJndi property has been renamed to enableJndiLookup, enableJndiJms, and enableJndiContextSelector (LOG4J2‑3242).

JNDI limited to the java protocol; the enable property renamed to log4j2.enableJndiJava (LOG4J2‑3242).

Avoid declaring log4j-api-java9 and log4j-core-java9 as dependencies, which caused Maven Enforcer plugin issues (LOG4J2‑3241).

Fix for NullPointerException when parsing appender filters in PropertiesConfiguration (LOG4J2‑3247).

Syslog Appender’s Log4j 1.2 bridge now defaults to port 512 instead of 514 (LOG4J2‑3249).

Log4j 1.2 bridge API now hard‑codes the Syslog protocol to TCP (LOG4J2‑3237).