Understanding
Log4j Vulnerabilities

The fix for CVE-2021-44228 was incomplete in certain non-default configurations. It could still allow attackers to craft malicious input data using a JNDI Lookup pattern resulting in denial of service or remote code execution.

Apache Log4j2 does not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.

Apache Log4j2 remote code execution vulnerability via JDBC Appender with data source element when the attacker has write access to the Log4j configuration or if the configuration references an attacker-controlled LDAP server.

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. Log4j 1.x has reached End of Life and should no longer be used.

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. Allows remote code execution.

JDBCAppender in Log4j 1.2.x accepts SQL statements as configuration parameters where values can be inserted with converters. This allows attackers to manipulate SQL statements via crafted input.

CVE-2020-9493 identified a deserialization issue in Apache Chainsaw. Prior to Chainsaw V2.0, Chainsaw was a component of Apache Log4j 1.2.x and vulnerable to remote code execution attacks.

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow a MITM attack to capture sensitive log data sent via email.

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can lead to remote code execution.

When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could result in local privilege escalation.

When using Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry can trigger a denial of service condition.

Apache Log4j Core's Socket Appender fails to verify TLS hostnames even when verifyHostName is set to true, allowing man-in-the-middle attackers with a certificate from any trusted CA to intercept or redirect sensitive log traffic.

The fix for CVE-2025-68161 was incomplete: the verifyHostName attribute is silently ignored in all versions through 2.25.3, leaving TLS connections in SMTP, Socket, and Syslog appenders vulnerable to interception regardless of configuration.

Apache Log4j Core's Rfc5424Layout in versions 2.21.0 through 2.25.3 is vulnerable to CRLF log injection due to silent renames of the newLineEscape and useTlsMessageFormat attributes, breaking newline escaping and downgrading TLS-framed connections to unframed TCP.

The Log4j1XmlLayout in the Apache Log4j 1-to-Log4j 2 bridge fails to sanitize characters forbidden by the XML 1.0 specification, producing invalid XML that causes downstream parsers to reject or drop log records silently.

Apache Log4j Core's XmlLayout in versions up to 2.25.3 fails to sanitize characters forbidden by XML 1.0, producing malformed output that conforming parsers must reject with a fatal error, causing log event loss or exceptions depending on the StAX implementation.

Apache Log4j Core's JsonTemplateLayout fails to properly escape special characters in log messages, potentially producing invalid JSON output that disrupts downstream log processing systems.