The Apache Log4j 2 team today released Log4j 2.16.0 with two major changes.
- To prevent CVE-2021-44228, Message Lookups feature is removed in this release.
- In the previous 2.15.0 release, the ability to resolve Lookups and log messages was removed. But having JNDI enabled by default will put users under risk. With 2.16.0 release, JNDI feature is disabled by default. Users who need this feature can enable this feature by using log4j2.enablejndi system property.
Thanks to the Apache Logging Services Project Management Committee (PMC) for working around the clock to get the release out so quickly. This will help thousands of organizations to protect themselves from external attacks on their Apache servers.
Source: Apache