Apache Log4j
Log4j is the Java logging library from the Apache Software Foundation. Two distinct release families are in active use: 1.x (end-of-life since 2015) and 2.x (current). Both are tracked separately in NVD under different CPE product identifiers, and Attestd queries both to produce complete coverage across the full version range.
Querying Log4j
log4j2.14.1, 1.2.17, 2.0-beta9curl "https://api.attestd.io/v1/check?product=log4j&version=2.14.1" \
-H "Authorization: Bearer $ATTESTD_KEY"Log4j 2.14.1 is affected by Log4Shell (CVE-2021-44228). The response reflects the worst-case aggregation across all CVEs that apply to this version range, which in this case includes three critical CVEs discovered in the same disclosure window.
{
"product": "log4j",
"version": "2.14.1",
"supported": true,
"risk_state": "critical",
"risk_factors": [
"active_exploitation",
"remote_code_execution",
"no_authentication_required",
"internet_exposed_service",
"patch_available"
],
"actively_exploited": true,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "2.17.1",
"confidence": 0.94,
"cve_ids": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"],
"last_updated": "2026-02-23T18:21:30Z"
}Log4j 2.17.1 is the earliest 2.x version that resolves all known CVEs from the Log4Shell disclosure window.
curl "https://api.attestd.io/v1/check?product=log4j&version=2.17.1" \
-H "Authorization: Bearer $ATTESTD_KEY"CVE history
Log4j 2.x saw four CVEs disclosed in rapid succession between December 2021 and January 2022. Each required a separate patch, and several patches were found to be incomplete, requiring further fixes. The 1.x branch has its own set of deserialization CVEs, all unpatched (the branch is end-of-life).
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2021-44228KEV | Log4Shell. JNDI lookup injection via message parameters allows unauthenticated remote code execution. Affects any application that logs attacker-controlled input. | 2.0-beta9 to 2.14.1 | 10.0 |
CVE-2021-45046 | Incomplete fix for CVE-2021-44228. Context lookup with Thread Context Map input still allows information disclosure and remote code execution in non-default configurations. | 2.0-beta9 to 2.15.0 | 9.0 |
CVE-2021-45105 | Infinite recursion via self-referential lookup in the Thread Context Map. Results in denial of service. Does not allow code execution. | 2.0-alpha1 to 2.16.0 | 7.5 |
CVE-2021-44832 | Attacker with write access to the Log4j configuration file can construct a malicious data source configuration to execute arbitrary code. Requires control of config. | 2.0-alpha7 to 2.17.0 | 6.6 |
CVE-2019-17571 | Log4j 1.x SocketServer class deserializes log events from untrusted sources without validation. Allows remote code execution against any running SocketServer listener. | 1.2.x (all) | 9.8 |
CVE-2022-23302 | JMSSink in Log4j 1.x deserializes messages from a JNDI-connected JMS Broker without validation. Allows remote code execution if attacker controls the JMS Broker. | 1.x (all) | 8.8 |
KEV = CISA Known Exploited Vulnerabilities catalog. Active exploitation confirmed.
Dual CPE namespace
NVD uses two different CPE product identifiers for the Log4j family:
cpe:2.3:a:apache:log4jLog4j 1.x CVEscpe:2.3:a:apache:log4j2Log4j 2.x CVEs (Log4Shell and later)Querying only the 1.x namespace silently misses Log4Shell and all 2.x CVEs. Attestd queries both and merges results on CVE ID before synthesis, so a single API call covers the full product family.