HeroDevs

Apache Log4j 2.17.x Release Notes

1 version

Comprehensive release notes and changelog for Apache Log4j 2.17.x, including security patches, bug fixes, and feature updates across all supported versions.

May 4, 2026

Latest: 2.17.3

13 Patched Vulnerabilities

VEX Statements

May 2026

2.17.3

Released May 4, 2026

strong,[object Object],CVE-2025-68161

strong,[object Object],CVE-2026-34477

strong,[object Object],CVE-2026-34479

strong,[object Object],CVE-2026-34480

strong,[object Object],CVE-2026-34481

Full Version:

2.17.2-log4j-2.17.3

Notes

This release originates from the open‑source Apache Log4j project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.

Bug Fixes

Fix host name verification in SSLSocketManager. (CVE-2025-68161)
Align SslConfiguration factory method usage with Log4j 2.12+ API. (CVE-2026-34477)
Replace invalid XML characters in Log4j1XmlLayout. (CVE-2026-34479)
Replace invalid XML characters in XmlLayout. (CVE-2026-34480)
Write non-finite floating-point values as strings in JsonWriter. (CVE-2026-34481)

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team