My Oracle Support Banner

Impact of December 2021 Apache Log4j Vulnerabilities on Oracle Java SE (CVE-2021-44228 and CVE-2021-45046) (Doc ID 2830166.1)

Last updated on FEBRUARY 20, 2024

Applies to:

Java SE JDK and JRE - Version 7 and later
Information in this document applies to any platform.

Details

On December 10, 2021, Oracle released Security Alert CVE-2021-44228 in response to the disclosure of a new vulnerability affecting Apache Log4j versions 2.0 through 2.15.0.  Subsequently, the Apache Software Foundation released Apache Log4j version 2.16.0, which addresses an additional vulnerability (CVE-2021-45046). Mitigation instructions from Apache for these issues also evolved over time.  This document details the impact of these vulnerabilities on Oracle Java Runtimes (JDK and JRE).

Oracle Java Runtimes (JDK and JRE) do not include the Apache's Log4j library and are not impacted by CVE-2021-44228 and CVE-2021-45046.

It is possible, however, that applications or frameworks running on Java Runtimes introduce a dependency to a vulnerable version of Apache Log4J.

Actions

Please review your programs' third-party dependencies to see what programs might be impacted. Oracle also recommends that, if you determine that you are using affected Log4j libraries, you implement the recommendations from the Apache Software Foundation.

Contacts

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.