log4j version 2.17.1

[mmahant17]

Could you please confirm if Log4j version 2.17.1 is supported?
Does this version contain any known vulnerabilities?

[perry2of5]

Please refer to the security page:
https://logging.apache.org/security.html

Also, mvnrepository.com provides links to most security vulnerabilities from affected artifacts. For example, on log4j-core, it doesn't show any vulnerabilities on versions after 2.17.0
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core

[ppkarwasz]

That’s an excellent answer — thank you!
Just to add for completeness: version 2.17.0 was never affected by CVE-2021-44832. This was confirmed in a later review (see apache/logging-site#6).

[mmahant17]

Thank you for your prompt response.

[ppkarwasz]

Could you please confirm if Log4j version 2.17.1 is supported?

Whether we "support" Log4j version 2.17.0 depends on how you define "support," so let’s break it down:

• We no longer maintain the 2.17.x minor version. Only the latest release within the 2.x series receives updates — including security fixes. If a vulnerability is discovered, you'll need to upgrade to the latest 2.x version or patch 2.17.x yourself.

• We do not accept bug reports for 2.17.x. All issues must be reproducible in the latest available version.

• We do accept security vulnerability reports affecting 2.17.x, and we will publish a security advisory if needed. However, as noted above, we will not release new patches for the 2.17.x line.

• Community support remains available on a best-effort basis. We even occasionally answer questions about Log4j 1.x — if someone remembers how it worked! 😝

• For guaranteed support with SLAs, some companies offer commercial support for Log4j.