Apache Log4j 2.16.0 available for download, JNDI is now disabled by default

Microsoft Chinese hackers

The Apache Log4j 2 team today released Log4j 2.16.0 with two major changes.

  • To prevent CVE-2021-44228, Message Lookups feature is removed in this release.
  • In the previous 2.15.0 release, the ability to resolve Lookups and log messages was removed. But having JNDI enabled by default will put users under risk. With 2.16.0 release, JNDI feature is disabled by default. Users who need this feature can enable this feature by using log4j2.enablejndi system property.

Thanks to the Apache Logging Services Project Management Committee (PMC) for working around the clock to get the release out so quickly. This will help thousands of organizations to protect themselves from external attacks on their Apache servers.

Source: Apache

Some links in the article may not be viewable as you are using an AdBlocker. Please add us to your whitelist to enable the website to function properly.

Related
Comments