The Apache Log4j 2 team is pleased to announce the Log4j 2.17.0 release! Apache Log4j is a well known framework for logging application behavior. Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many other modern features such as support for Markers, lambda expressions for lazy logging, property substitution using Lookups, multiple patterns on a PatternLayout and asynchronous Loggers. Another notable Log4j 2 feature is the ability to be "garbage-free" (avoid allocating temporary objects) while logging. In addition, Log4j 2 will not lose events while reconfiguring.
The artifacts may be downloaded from https://logging.apache.org/log4j/2.x/download.html. The major changes contained in this release include: • Address CVE-2021-45105 by disabling recursive evaluation of Lookups during log event processing. Recursive evaluation is still allowed while generating the configuration. • The JndiLookup, JndiContextSelector, and JMSAppender now require individual system properties to be enabled. • Remove LDAP and LDAPS as supported protocols from JNDI. The single log4j2.enableJndi property introduced in Log4j 2.16.0 has been replaced with three individual properties; log4j2.enableJndiContextSelector, log4j2.enableJndiJms, and log4j2.enableJndiLookup. The Log4j 2.17.0 API, as well as many core components, maintains binary compatibility with previous releases. GA Release 2.17.0 Changes in this version include: Fixed Bugs • LOG4J2-3230: Fix string substitution recursion. • LOG4J2-3242: Limit JNDI to the java protocol only. JNDI will remain disabled by default. Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'. • LOG4J2-3241: Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it causes problems with the Maven enforcer plugin. • LOG4J2-3247: PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters. • LOG4J2-3249: Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514. • LOG4J2-3237: Log4j 1.2 bridge API hard codes the Syslog protocol to TCP. Apache Log4j 2.17.0 requires a minimum of Java 8 to build and run. Log4j 2.12.2 is the last release to support Java 7. Java 7 is not longer supported by the Log4j team. For complete information on Apache Log4j 2, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Apache Log4j 2 website: https://logging.apache.org/log4j/2.x/index.html.
