HeroDevs
Visit NES for Apache Log4j Home Page

Release Notes

Complete Changelog for NES for Apache Log4j

Apache Log4j

1.2.18 (NES) - December 16, 2025

Notes

  • This release originates from the open‑source Apache Log4j project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.

Bug Fixes

This release patches the following:

  • CVE-2019-17571: Fixed a serialization vulnerability in SocketServer by hardening how data is deserialized.
  • CVE-2020-9488: Improved security for SMTPAppender by enabling server identity verification for SSL connections by default.
  • CVE-2020-9493 / CVE-2022-23307: Hardened Chainsaw and related components against unsafe deserialization using object whitelisting.
  • CVE-2021-4104: Restricted JNDI usage within the library to only allow objects from the trusted Java JNDI namespace.
  • CVE-2022-23305: Enhanced JDBCAppender security by utilizing PreparedStatement to prevent SQL injection.
  • CVE-2022-23302: Secured JMSSink by restricting JNDI lookups to the safe java: namespace.

Full Version: 1.2.17-log4j-1.2.18

Apache Log4j
Installation and configuration guide for NES for Apache Log4j
Previous Article
Published Maven Packages
Available versions of NES Maven artifacts
Next Article