Impact of December 2021 Apache Log4j Vulnerabilities on Oracle Java SE (CVE-2021-44228 and CVE-2021-45046)
(Doc ID 2830166.1)
Last updated on FEBRUARY 20, 2024
Applies to:Java SE JDK and JRE - Version 7 and later
Information in this document applies to any platform.
On December 10, 2021, Oracle released Security Alert CVE-2021-44228 in response to the disclosure of a new vulnerability affecting Apache Log4j versions 2.0 through 2.15.0. Subsequently, the Apache Software Foundation released Apache Log4j version 2.16.0, which addresses an additional vulnerability (CVE-2021-45046). Mitigation instructions from Apache for these issues also evolved over time. This document details the impact of these vulnerabilities on Oracle Java Runtimes (JDK and JRE).
Oracle Java Runtimes (JDK and JRE) do not include the Apache's Log4j library and are not impacted by CVE-2021-44228 and CVE-2021-45046.
It is possible, however, that applications or frameworks running on Java Runtimes introduce a dependency to a vulnerable version of Apache Log4J.
Please review your programs' third-party dependencies to see what programs might be impacted. Oracle also recommends that, if you determine that you are using affected Log4j libraries, you implement the recommendations from the Apache Software Foundation.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!