As Apache Log4j 2 security vulnerabilities continue to surface, and are quickly addressed by the Log4j Security Team, keeping track of specific CVEs, severity, and affected versions can be a bit of a task on the fly. As such, herein is a quick table version of update guidance. The current supported version of Log4j2 for Java 8 is 2.17.1 as of this writing.
Note: Log4j 1 is end of life and no longer supported. Java 7 and 6 are end of life and no longer supported. Please upgrade to current, supported versions accordingly.
Log4j 2 Security Vulnerabilities Update Guide
Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4
Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
All versions from 2.0-beta9 to 2.16.0, excluding 2.12.3
Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
All versions from 2.0-beta9 to 2.15.0, excluding 2.12.2
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
All versions from 2.0-beta9 to 2.14.1
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: Read More (SANS Internet Storm Center, InfoCON: green)