Visit NES for Apache Log4j Home Page
Apache Log4j 2 2.18.x Release Notes
2 versions
Comprehensive release notes and changelog for Apache Log4j 2 2.18.x, including security patches, bug fixes, and feature updates across all supported versions.
July 2026
2.18.2
Released Jul 9, 2026 Full Version:
2.18.0-log4j-2.18.2
Bug Fixes
- Honor the
verifyHostNameattribute in TLS/SSL configuration so it is no longer silently ignored (log4j-core). (CVE-2026-34477, GHSA-6hg6-v5c8-fphq) - Verify the TLS hostname in the Socket Appender's
SSLSocketManager(log4j-core). (CVE-2025-68161, GHSA-vc5p-v9hr-52mj) - Sanitize XML 1.0 forbidden characters in
XmlLayout(log4j-core) to prevent silent loss of log events. (CVE-2026-34480, GHSA-3pxv-7cmr-fjr4) - Sanitize XML 1.0 forbidden characters in
Log4j1XmlLayout(log4j-1.2-api) to prevent silent loss of log events. (CVE-2026-34479, GHSA-h383-gmxw-35v2) - Serialize non-finite floating-point values (NaN/Infinity) as valid JSON in
JsonTemplateLayout(log4j-layout-template-json). (CVE-2026-34481, GHSA-w35j-pv5h-q9q9)
2.18.1
Released Jul 9, 2026 Full Version:
2.18.0-log4j-2.18.1
Notes
- This release originates from the open‑source Apache Log4j project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.
- Initial NES release for the Apache Log4j 2 artifacts on the 2.18.x line, anchored on Apache Log4j 2.18.0.
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh