HeroDevs
Visit NES for Apache Log4j Home Page

Apache Log4j 1 Release Notes

Complete Changelog for NES for Apache Log4j 1

8 Patched Vulnerabilities
VEX Statements

Apache Log4j 1

1.2.18 (NES) - December 16, 2025

Notes

  • This release originates from the open‑source Apache Log4j project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.

Bug Fixes

  • Fixed a serialization vulnerability in SocketServer by hardening how data is deserialized. (CVE-2019-17571)
  • Improved security for SMTPAppender by enabling server identity verification for SSL connections by default. (CVE-2020-9488)
  • Hardened Chainsaw and related components against unsafe deserialization using object whitelisting. (CVE-2020-9493 / CVE-2022-23307)
  • Restricted JNDI usage within the library to only allow objects from the trusted Java JNDI namespace. (CVE-2021-4104)
  • Enhanced JDBCAppender security by utilizing PreparedStatement to prevent SQL injection. (CVE-2022-23305)
  • Secured JMSSink by restricting JNDI lookups to the safe java: namespace. (CVE-2022-23302)
  • Fixed Chainsaw implementation by introducing a safeguard that limits the amount of serialized data accepted during deserialization in the affected logging components. (CVE-2023-26464)

Full Version: 1.2.17-log4j-1.2.18